Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TEKLIF 2002509.exe

Overview

General Information

Sample name:TEKLIF 2002509.exe
Analysis ID:1520407
MD5:7a3bfa8d0ab2a9b1258925a73a037393
SHA1:5785960ead180d8709d2b4e182ada67cf751a85c
SHA256:8924d6255fe634004cc46de0a9ee6b4d7c44c1612947d747ebea2a6c06d2a37e
Tags:exegeoTURuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TEKLIF 2002509.exe (PID: 3184 cmdline: "C:\Users\user\Desktop\TEKLIF 2002509.exe" MD5: 7A3BFA8D0AB2A9B1258925A73A037393)
    • powershell.exe (PID: 5088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • TEKLIF 2002509.exe (PID: 5068 cmdline: "C:\Users\user\Desktop\TEKLIF 2002509.exe" MD5: 7A3BFA8D0AB2A9B1258925A73A037393)
      • explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • chkdsk.exe (PID: 1816 cmdline: "C:\Windows\SysWOW64\chkdsk.exe" MD5: B4016BEE9D8F3AD3D02DD21C3CAFB922)
          • cmd.exe (PID: 2732 cmdline: /c del "C:\Users\user\Desktop\TEKLIF 2002509.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.avada-casino-tlj.buzz/bc01/"], "decoy": ["epatitis-treatment-26155.bond", "52cy67sk.bond", "nline-degree-6987776.world", "ingxingdiandeng-2033.top", "mberbreeze.cyou", "48xc300mw.autos", "obs-for-seniors-39582.bond", "tpetersburg-3-tonn.online", "egafon-parser.online", "172jh.shop", "ltraman.pro", "bqfhnys.shop", "ntercash24-cad.homes", "uhtwister.cloud", "alk-in-tubs-27353.bond", "ucas-saaad.buzz", "oko.events", "8080713.xyz", "refabricated-homes-74404.bond", "inaa.boo", "nnevateknoloji.xyz", "ar-accident-lawyer-389.today", "ianju-fvqh092.vip", "ealthandwellnessly.digital", "qzxx.top", "q8189.top", "ecurity-service-22477.bond", "ractors-42621.bond", "astamadre.shop", "tonomushotel.xyz", "cowatt.fun", "olocaustaffirmer.net", "delphi.ltd", "mmwinni.buzz", "8009.top", "nline-gaming-ox-fr.xyz", "irtyeffingrancher.info", "omotech-dz.net", "akemoneyonline.bond", "ustbookin.online", "eals.lat", "irmag.online", "eddogbrands.website", "oifulcares.net", "aming-chair-83359.bond", "ewferg.top", "areless.net", "torygame168.online", "y-language-menu.net", "iring-cleaners-2507.xyz", "inancialenlightment.info", "ar-accident-lawyer-389.today", "sicologosportugueses.online", "ajabandot.website", "oidakings.net", "2ar1.shop", "comedia.lol", "kjbrosmm.shop", "ffpage.shop", "nfluencer-marketing-17923.bond", "ebshieldsrenew.live", "lkjuy.xyz", "lussalesapp.website", "hildrens-clothing.today"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Diceloader_15eeb7b9unknownunknown
      • 0x1f2b9:$a1: E9 92 9D FF FF C3 E8
      00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.TEKLIF 2002509.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.TEKLIF 2002509.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.TEKLIF 2002509.exe.400000.0.raw.unpackWindows_Trojan_Diceloader_15eeb7b9unknownunknown
          • 0x1f2b9:$a1: E9 92 9D FF FF C3 E8
          5.2.TEKLIF 2002509.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          5.2.TEKLIF 2002509.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKLIF 2002509.exe", ParentImage: C:\Users\user\Desktop\TEKLIF 2002509.exe, ParentProcessId: 3184, ParentProcessName: TEKLIF 2002509.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe", ProcessId: 5088, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKLIF 2002509.exe", ParentImage: C:\Users\user\Desktop\TEKLIF 2002509.exe, ParentProcessId: 3184, ParentProcessName: TEKLIF 2002509.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe", ProcessId: 5088, ProcessName: powershell.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKLIF 2002509.exe", ParentImage: C:\Users\user\Desktop\TEKLIF 2002509.exe, ParentProcessId: 3184, ParentProcessName: TEKLIF 2002509.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe", ProcessId: 5088, ProcessName: powershell.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.avada-casino-tlj.buzz/bc01/"], "decoy": ["epatitis-treatment-26155.bond", "52cy67sk.bond", "nline-degree-6987776.world", "ingxingdiandeng-2033.top", "mberbreeze.cyou", "48xc300mw.autos", "obs-for-seniors-39582.bond", "tpetersburg-3-tonn.online", "egafon-parser.online", "172jh.shop", "ltraman.pro", "bqfhnys.shop", "ntercash24-cad.homes", "uhtwister.cloud", "alk-in-tubs-27353.bond", "ucas-saaad.buzz", "oko.events", "8080713.xyz", "refabricated-homes-74404.bond", "inaa.boo", "nnevateknoloji.xyz", "ar-accident-lawyer-389.today", "ianju-fvqh092.vip", "ealthandwellnessly.digital", "qzxx.top", "q8189.top", "ecurity-service-22477.bond", "ractors-42621.bond", "astamadre.shop", "tonomushotel.xyz", "cowatt.fun", "olocaustaffirmer.net", "delphi.ltd", "mmwinni.buzz", "8009.top", "nline-gaming-ox-fr.xyz", "irtyeffingrancher.info", "omotech-dz.net", "akemoneyonline.bond", "ustbookin.online", "eals.lat", "irmag.online", "eddogbrands.website", "oifulcares.net", "aming-chair-83359.bond", "ewferg.top", "areless.net", "torygame168.online", "y-language-menu.net", "iring-cleaners-2507.xyz", "inancialenlightment.info", "ar-accident-lawyer-389.today", "sicologosportugueses.online", "ajabandot.website", "oidakings.net", "2ar1.shop", "comedia.lol", "kjbrosmm.shop", "ffpage.shop", "nfluencer-marketing-17923.bond", "ebshieldsrenew.live", "lkjuy.xyz", "lussalesapp.website", "hildrens-clothing.today"]}
          Multi AV Scanner detection for submitted file
          Source: TEKLIF 2002509.exeReversingLabs: Detection: 73%
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: TEKLIF 2002509.exeJoe Sandbox ML: detected
          Source: TEKLIF 2002509.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: TEKLIF 2002509.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: OBGu.pdbSHA2561h source: TEKLIF 2002509.exe
          Source: Binary string: chkdsk.pdbGCTL source: TEKLIF 2002509.exe, 00000005.00000002.2270562283.0000000001037000.00000004.00000020.00020000.00000000.sdmp, TEKLIF 2002509.exe, 00000005.00000002.2270779723.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4600399976.0000000000C40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: OBGu.pdb source: TEKLIF 2002509.exe
          Source: Binary string: chkdsk.pdb source: TEKLIF 2002509.exe, 00000005.00000002.2270562283.0000000001037000.00000004.00000020.00020000.00000000.sdmp, TEKLIF 2002509.exe, 00000005.00000002.2270779723.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4600399976.0000000000C40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: TEKLIF 2002509.exe, 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2272873820.0000000005572000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2270790993.00000000053C6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: TEKLIF 2002509.exe, TEKLIF 2002509.exe, 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2272873820.0000000005572000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2270790993.00000000053C6000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 4x nop then pop edi5_2_0040E461
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi7_2_04C6E461

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.avada-casino-tlj.buzz/bc01/
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.avada-casino-tlj.buzz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ffpage.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.nline-degree-6987776.world replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.mberbreeze.cyou replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.obs-for-seniors-39582.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.sicologosportugueses.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.akemoneyonline.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ewferg.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.8009.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.uhtwister.cloud replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.nfluencer-marketing-17923.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.avada-casino-tlj.buzz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ffpage.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.nline-degree-6987776.world replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.mberbreeze.cyou replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.obs-for-seniors-39582.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.sicologosportugueses.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.akemoneyonline.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ewferg.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.8009.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.uhtwister.cloud replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.nfluencer-marketing-17923.bond replaycode: Name error (3)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: www.ffpage.shop
          Source: global trafficDNS traffic detected: DNS query: www.mberbreeze.cyou
          Source: global trafficDNS traffic detected: DNS query: www.obs-for-seniors-39582.bond
          Source: global trafficDNS traffic detected: DNS query: www.uhtwister.cloud
          Source: global trafficDNS traffic detected: DNS query: www.akemoneyonline.bond
          Source: global trafficDNS traffic detected: DNS query: www.sicologosportugueses.online
          Source: global trafficDNS traffic detected: DNS query: www.avada-casino-tlj.buzz
          Source: global trafficDNS traffic detected: DNS query: www.nline-degree-6987776.world
          Source: global trafficDNS traffic detected: DNS query: www.8009.top
          Source: global trafficDNS traffic detected: DNS query: www.nfluencer-marketing-17923.bond
          Source: global trafficDNS traffic detected: DNS query: www.ewferg.top
          Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000006.00000002.4609091546.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2156332726.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4613506646.0000000007B60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: TEKLIF 2002509.exe, 00000000.00000002.2149822978.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.8009.top
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.8009.top/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.8009.top/bc01/www.nfluencer-marketing-17923.bond
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.8009.topReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.akemoneyonline.bond
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.akemoneyonline.bond/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.akemoneyonline.bond/bc01/www.lkjuy.xyz
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.akemoneyonline.bondReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avada-casino-tlj.buzz
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avada-casino-tlj.buzz/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avada-casino-tlj.buzz/bc01/www.nline-degree-6987776.world
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avada-casino-tlj.buzzReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealthandwellnessly.digital
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealthandwellnessly.digital/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealthandwellnessly.digital/bc01/www.ractors-42621.bond
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ealthandwellnessly.digitalReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.epatitis-treatment-26155.bond
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.epatitis-treatment-26155.bond/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.epatitis-treatment-26155.bond/bc01/www.ealthandwellnessly.digital
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.epatitis-treatment-26155.bondReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ewferg.top
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ewferg.top/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ewferg.top/bc01/www.epatitis-treatment-26155.bond
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ewferg.topReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ffpage.shop
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ffpage.shop/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ffpage.shop/bc01/www.mberbreeze.cyou
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ffpage.shopReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lkjuy.xyz
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lkjuy.xyz/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lkjuy.xyz/bc01/www.sicologosportugueses.online
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lkjuy.xyzReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mberbreeze.cyou
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mberbreeze.cyou/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mberbreeze.cyou/bc01/www.obs-for-seniors-39582.bond
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mberbreeze.cyouReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nfluencer-marketing-17923.bond
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nfluencer-marketing-17923.bond/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nfluencer-marketing-17923.bond/bc01/www.ewferg.top
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nfluencer-marketing-17923.bondReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-degree-6987776.world
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-degree-6987776.world/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-degree-6987776.world/bc01/www.8009.top
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-degree-6987776.worldReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.obs-for-seniors-39582.bond
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.obs-for-seniors-39582.bond/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.obs-for-seniors-39582.bond/bc01/www.uhtwister.cloud
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.obs-for-seniors-39582.bondReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ractors-42621.bond
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ractors-42621.bond/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ractors-42621.bond/bc01/www.torygame168.online
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ractors-42621.bondReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sicologosportugueses.online
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sicologosportugueses.online/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sicologosportugueses.online/bc01/www.avada-casino-tlj.buzz
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sicologosportugueses.onlineReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.torygame168.online
          Source: explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.torygame168.online/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.torygame168.online/bc01/_
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.torygame168.onlineReferer:
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uhtwister.cloud
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uhtwister.cloud/bc01/
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uhtwister.cloud/bc01/www.akemoneyonline.bond
          Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uhtwister.cloudReferer:
          Source: explorer.exe, 00000006.00000002.4614750288.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2161826176.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979331163.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
          Source: explorer.exe, 00000006.00000002.4618097457.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2165698590.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/I
          Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
          Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
          Source: explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
          Source: explorer.exe, 00000006.00000002.4618097457.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075352059.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2985609705.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2165698590.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com-
          Source: explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
          Source: explorer.exe, 00000006.00000002.4618097457.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075352059.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2985609705.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2165698590.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.come
          Source: explorer.exe, 00000006.00000000.2165698590.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4618097457.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEMd
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000002.4614750288.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2161826176.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979331163.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/e
          Source: explorer.exe, 00000006.00000002.4618097457.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075352059.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2985609705.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2165698590.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comM
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
          Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2270725098.000000000146F000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: TEKLIF 2002509.exe PID: 3184, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: TEKLIF 2002509.exe PID: 5068, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
          Source: Process Memory Space: chkdsk.exe PID: 1816, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041A330 NtCreateFile,5_2_0041A330
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041A3E0 NtReadFile,5_2_0041A3E0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041A460 NtClose,5_2_0041A460
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041A510 NtAllocateVirtualMemory,5_2_0041A510
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041A3DB NtReadFile,5_2_0041A3DB
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041A50F NtAllocateVirtualMemory,5_2_0041A50F
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2B60 NtClose,LdrInitializeThunk,5_2_015D2B60
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_015D2BF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2AD0 NtReadFile,LdrInitializeThunk,5_2_015D2AD0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_015D2D10
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_015D2D30
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2DD0 NtDelayExecution,LdrInitializeThunk,5_2_015D2DD0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_015D2DF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_015D2C70
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_015D2CA0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2F30 NtCreateSection,LdrInitializeThunk,5_2_015D2F30
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2FE0 NtCreateFile,LdrInitializeThunk,5_2_015D2FE0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2F90 NtProtectVirtualMemory,LdrInitializeThunk,5_2_015D2F90
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2FB0 NtResumeThread,LdrInitializeThunk,5_2_015D2FB0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_015D2E80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_015D2EA0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D4340 NtSetContextThread,5_2_015D4340
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D4650 NtSuspendThread,5_2_015D4650
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2BE0 NtQueryValueKey,5_2_015D2BE0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2B80 NtQueryInformationFile,5_2_015D2B80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2BA0 NtEnumerateValueKey,5_2_015D2BA0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2AF0 NtWriteFile,5_2_015D2AF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2AB0 NtWaitForSingleObject,5_2_015D2AB0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2D00 NtSetInformationFile,5_2_015D2D00
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2DB0 NtEnumerateKey,5_2_015D2DB0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2C60 NtCreateKey,5_2_015D2C60
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2C00 NtQueryInformationProcess,5_2_015D2C00
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2CC0 NtQueryVirtualMemory,5_2_015D2CC0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2CF0 NtOpenProcess,5_2_015D2CF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2F60 NtCreateProcessEx,5_2_015D2F60
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2FA0 NtQuerySection,5_2_015D2FA0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2E30 NtWriteVirtualMemory,5_2_015D2E30
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2EE0 NtQueueApcThread,5_2_015D2EE0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D3010 NtOpenDirectoryObject,5_2_015D3010
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D3090 NtSetValueKey,5_2_015D3090
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D35C0 NtCreateMutant,5_2_015D35C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D39B0 NtGetContextThread,5_2_015D39B0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D3D70 NtOpenThread,5_2_015D3D70
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D3D10 NtOpenProcessToken,5_2_015D3D10
          Source: C:\Windows\explorer.exeCode function: 6_2_0E39F232 NtCreateFile,6_2_0E39F232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E3A0E12 NtProtectVirtualMemory,6_2_0E3A0E12
          Source: C:\Windows\explorer.exeCode function: 6_2_0E3A0E0A NtProtectVirtualMemory,6_2_0E3A0E0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792D10 NtMapViewOfSection,LdrInitializeThunk,7_2_05792D10
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_05792DF0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792DD0 NtDelayExecution,LdrInitializeThunk,7_2_05792DD0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_05792C70
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792C60 NtCreateKey,LdrInitializeThunk,7_2_05792C60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_05792CA0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792F30 NtCreateSection,LdrInitializeThunk,7_2_05792F30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792FE0 NtCreateFile,LdrInitializeThunk,7_2_05792FE0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_05792EA0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792B60 NtClose,LdrInitializeThunk,7_2_05792B60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_05792BF0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792BE0 NtQueryValueKey,LdrInitializeThunk,7_2_05792BE0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792AD0 NtReadFile,LdrInitializeThunk,7_2_05792AD0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057935C0 NtCreateMutant,LdrInitializeThunk,7_2_057935C0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05794650 NtSuspendThread,7_2_05794650
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05794340 NtSetContextThread,7_2_05794340
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792D30 NtUnmapViewOfSection,7_2_05792D30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792D00 NtSetInformationFile,7_2_05792D00
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792DB0 NtEnumerateKey,7_2_05792DB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792C00 NtQueryInformationProcess,7_2_05792C00
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792CF0 NtOpenProcess,7_2_05792CF0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792CC0 NtQueryVirtualMemory,7_2_05792CC0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792F60 NtCreateProcessEx,7_2_05792F60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792FB0 NtResumeThread,7_2_05792FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792FA0 NtQuerySection,7_2_05792FA0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792F90 NtProtectVirtualMemory,7_2_05792F90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792E30 NtWriteVirtualMemory,7_2_05792E30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792EE0 NtQueueApcThread,7_2_05792EE0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792E80 NtReadVirtualMemory,7_2_05792E80
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792BA0 NtEnumerateValueKey,7_2_05792BA0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792B80 NtQueryInformationFile,7_2_05792B80
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792AF0 NtWriteFile,7_2_05792AF0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05792AB0 NtWaitForSingleObject,7_2_05792AB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05793010 NtOpenDirectoryObject,7_2_05793010
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05793090 NtSetValueKey,7_2_05793090
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05793D70 NtOpenThread,7_2_05793D70
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05793D10 NtOpenProcessToken,7_2_05793D10
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057939B0 NtGetContextThread,7_2_057939B0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7A460 NtClose,7_2_04C7A460
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7A510 NtAllocateVirtualMemory,7_2_04C7A510
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7A3E0 NtReadFile,7_2_04C7A3E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7A330 NtCreateFile,7_2_04C7A330
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7A50F NtAllocateVirtualMemory,7_2_04C7A50F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7A3DB NtReadFile,7_2_04C7A3DB
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0550A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,7_2_0550A036
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05509BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,7_2_05509BAF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0550A042 NtQueryInformationProcess,7_2_0550A042
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05509BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_05509BB2
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 0_2_00D4DEEC0_2_00D4DEEC
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 0_2_07A047A80_2_07A047A8
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 0_2_07A05FA80_2_07A05FA8
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 0_2_07A047980_2_07A04798
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 0_2_07A06DE80_2_07A06DE8
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 0_2_07A05D370_2_07A05D37
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 0_2_07A043700_2_07A04370
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 0_2_07A0B9380_2_07A0B938
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 0_2_07A068D80_2_07A068D8
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041E8575_2_0041E857
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041DAED5_2_0041DAED
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041DA9C5_2_0041DA9C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041E4DB5_2_0041E4DB
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041D5735_2_0041D573
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_00402D895_2_00402D89
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041EE4C5_2_0041EE4C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_00409E5B5_2_00409E5B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_00409E605_2_00409E60
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016281585_2_01628158
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015901005_2_01590100
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0163A1185_2_0163A118
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016581CC5_2_016581CC
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016601AA5_2_016601AA
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016320005_2_01632000
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165A3525_2_0165A352
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016603E65_2_016603E6
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AE3F05_2_015AE3F0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016402745_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016202C05_2_016202C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A05355_2_015A0535
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016605915_2_01660591
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016524465_2_01652446
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0164E4F65_2_0164E4F6
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C47505_2_015C4750
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A07705_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159C7C05_2_0159C7C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BC6E05_2_015BC6E0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B69625_2_015B6962
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0166A9A65_2_0166A9A6
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A05_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A28405_2_015A2840
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AA8405_2_015AA840
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE8F05_2_015CE8F0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015868B85_2_015868B8
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165AB405_2_0165AB40
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01656BD75_2_01656BD7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159EA805_2_0159EA80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AAD005_2_015AAD00
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159ADE05_2_0159ADE0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B8DBF5_2_015B8DBF
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0C005_2_015A0C00
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01590CF25_2_01590CF2
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640CB55_2_01640CB5
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01614F405_2_01614F40
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C0F305_2_015C0F30
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015E2F285_2_015E2F28
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01592FC85_2_01592FC8
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015ACFE05_2_015ACFE0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161EFA05_2_0161EFA0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0E595_2_015A0E59
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165EE265_2_0165EE26
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165EEDB5_2_0165EEDB
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B2E905_2_015B2E90
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165CE935_2_0165CE93
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0166B16B5_2_0166B16B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158F1725_2_0158F172
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D516C5_2_015D516C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AB1B05_2_015AB1B0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165F0E05_2_0165F0E0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016570E95_2_016570E9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A70C05_2_015A70C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0164F0CC5_2_0164F0CC
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158D34C5_2_0158D34C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165132D5_2_0165132D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015E739A5_2_015E739A
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016412ED5_2_016412ED
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BB2C05_2_015BB2C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A52A05_2_015A52A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016575715_2_01657571
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0163D5B05_2_0163D5B0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015914605_2_01591460
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165F43F5_2_0165F43F
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165F7B05_2_0165F7B0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016516CC5_2_016516CC
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A99505_2_015A9950
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BB9505_2_015BB950
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016359105_2_01635910
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160D8005_2_0160D800
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A38E05_2_015A38E0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165FB765_2_0165FB76
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01615BF05_2_01615BF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015DDBF95_2_015DDBF9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BFB805_2_015BFB80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01613A6C5_2_01613A6C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01657A465_2_01657A46
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165FA495_2_0165FA49
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0164DAC65_2_0164DAC6
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0163DAAC5_2_0163DAAC
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015E5AA05_2_015E5AA0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01657D735_2_01657D73
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A3D405_2_015A3D40
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01651D5A5_2_01651D5A
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BFDC05_2_015BFDC0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01619C325_2_01619C32
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165FCF25_2_0165FCF2
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165FF095_2_0165FF09
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A1F925_2_015A1F92
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165FFB15_2_0165FFB1
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A9EB05_2_015A9EB0
          Source: C:\Windows\explorer.exeCode function: 6_2_0E0CA2326_2_0E0CA232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E0C4B306_2_0E0C4B30
          Source: C:\Windows\explorer.exeCode function: 6_2_0E0C4B326_2_0E0C4B32
          Source: C:\Windows\explorer.exeCode function: 6_2_0E0C90366_2_0E0C9036
          Source: C:\Windows\explorer.exeCode function: 6_2_0E0C00826_2_0E0C0082
          Source: C:\Windows\explorer.exeCode function: 6_2_0E0C1D026_2_0E0C1D02
          Source: C:\Windows\explorer.exeCode function: 6_2_0E0C79126_2_0E0C7912
          Source: C:\Windows\explorer.exeCode function: 6_2_0E0CD5CD6_2_0E0CD5CD
          Source: C:\Windows\explorer.exeCode function: 6_2_0E2182326_2_0E218232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E212B306_2_0E212B30
          Source: C:\Windows\explorer.exeCode function: 6_2_0E212B326_2_0E212B32
          Source: C:\Windows\explorer.exeCode function: 6_2_0E2170366_2_0E217036
          Source: C:\Windows\explorer.exeCode function: 6_2_0E20E0826_2_0E20E082
          Source: C:\Windows\explorer.exeCode function: 6_2_0E20FD026_2_0E20FD02
          Source: C:\Windows\explorer.exeCode function: 6_2_0E2159126_2_0E215912
          Source: C:\Windows\explorer.exeCode function: 6_2_0E21B5CD6_2_0E21B5CD
          Source: C:\Windows\explorer.exeCode function: 6_2_0E39F2326_2_0E39F232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E39E0366_2_0E39E036
          Source: C:\Windows\explorer.exeCode function: 6_2_0E3950826_2_0E395082
          Source: C:\Windows\explorer.exeCode function: 6_2_0E399B306_2_0E399B30
          Source: C:\Windows\explorer.exeCode function: 6_2_0E399B326_2_0E399B32
          Source: C:\Windows\explorer.exeCode function: 6_2_0E39C9126_2_0E39C912
          Source: C:\Windows\explorer.exeCode function: 6_2_0E396D026_2_0E396D02
          Source: C:\Windows\explorer.exeCode function: 6_2_0E3A25CD6_2_0E3A25CD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_058205917_2_05820591
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057605357_2_05760535
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0580E4F67_2_0580E4F6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_058124467_2_05812446
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057607707_2_05760770
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057847507_2_05784750
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0575C7C07_2_0575C7C0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0577C6E07_2_0577C6E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057E81587_2_057E8158
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_058201AA7_2_058201AA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_058181CC7_2_058181CC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057FA1187_2_057FA118
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057501007_2_05750100
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057F20007_2_057F2000
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_058203E67_2_058203E6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0576E3F07_2_0576E3F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581A3527_2_0581A352
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057E02C07_2_057E02C0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_058002747_2_05800274
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057FCD1F7_2_057FCD1F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0576AD007_2_0576AD00
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0575ADE07_2_0575ADE0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05778DBF7_2_05778DBF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05800CB57_2_05800CB5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05760C007_2_05760C00
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05750CF27_2_05750CF2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057D4F407_2_057D4F40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05780F307_2_05780F30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057A2F287_2_057A2F28
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0576CFE07_2_0576CFE0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05752FC87_2_05752FC8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057DEFA07_2_057DEFA0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581CE937_2_0581CE93
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05760E597_2_05760E59
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581EEDB7_2_0581EEDB
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581EE267_2_0581EE26
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05772E907_2_05772E90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057769627_2_05776962
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0582A9A67_2_0582A9A6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057629A07_2_057629A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057628407_2_05762840
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0576A8407_2_0576A840
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0578E8F07_2_0578E8F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057468B87_2_057468B8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05816BD77_2_05816BD7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581AB407_2_0581AB40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0575EA807_2_0575EA80
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057FD5B07_2_057FD5B0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_058175717_2_05817571
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057514607_2_05751460
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581F43F7_2_0581F43F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581F7B07_2_0581F7B0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_058116CC7_2_058116CC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0574F1727_2_0574F172
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0579516C7_2_0579516C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0576B1B07_2_0576B1B0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0582B16B7_2_0582B16B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0580F0CC7_2_0580F0CC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581F0E07_2_0581F0E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_058170E97_2_058170E9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057670C07_2_057670C0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0574D34C7_2_0574D34C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581132D7_2_0581132D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057A739A7_2_057A739A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_058012ED7_2_058012ED
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0577B2C07_2_0577B2C0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057652A07_2_057652A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05763D407_2_05763D40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0577FDC07_2_0577FDC0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05811D5A7_2_05811D5A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05817D737_2_05817D73
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057D9C327_2_057D9C32
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581FCF27_2_0581FCF2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581FFB17_2_0581FFB1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581FF097_2_0581FF09
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05761F927_2_05761F92
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05769EB07_2_05769EB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057699507_2_05769950
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0577B9507_2_0577B950
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057F59107_2_057F5910
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057CD8007_2_057CD800
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057638E07_2_057638E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0579DBF97_2_0579DBF9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057D5BF07_2_057D5BF0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581FB767_2_0581FB76
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0577FB807_2_0577FB80
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057D3A6C7_2_057D3A6C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05801AA37_2_05801AA3
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0580DAC67_2_0580DAC6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05817A467_2_05817A46
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0581FA497_2_0581FA49
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057FDAAC7_2_057FDAAC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057A5AA07_2_057A5AA0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7E4CE7_2_04C7E4CE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C62D897_2_04C62D89
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C62D907_2_04C62D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7D5737_2_04C7D573
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7EE4C7_2_04C7EE4C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C69E5B7_2_04C69E5B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C69E607_2_04C69E60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C62FB07_2_04C62FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7E8577_2_04C7E857
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7DA9C7_2_04C7DA9C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0550A0367_2_0550A036
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05502D027_2_05502D02
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0550E5CD7_2_0550E5CD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_055089127_2_05508912
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_055010827_2_05501082
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05505B307_2_05505B30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_05505B327_2_05505B32
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0550B2327_2_0550B232
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0574B970 appears 275 times
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 057A7E54 appears 101 times
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 057CEA12 appears 86 times
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 05795130 appears 58 times
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 057DF290 appears 105 times
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: String function: 0158B970 appears 275 times
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: String function: 015E7E54 appears 99 times
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: String function: 0161F290 appears 105 times
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: String function: 0160EA12 appears 86 times
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: String function: 015D5130 appears 48 times
          Source: TEKLIF 2002509.exe, 00000000.00000002.2156396568.0000000006B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs TEKLIF 2002509.exe
          Source: TEKLIF 2002509.exe, 00000000.00000002.2156396568.0000000006B1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs TEKLIF 2002509.exe
          Source: TEKLIF 2002509.exe, 00000000.00000002.2157593413.0000000007970000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs TEKLIF 2002509.exe
          Source: TEKLIF 2002509.exe, 00000000.00000000.2124193076.0000000000608000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOBGu.exe> vs TEKLIF 2002509.exe
          Source: TEKLIF 2002509.exe, 00000000.00000002.2146214464.0000000000BAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TEKLIF 2002509.exe
          Source: TEKLIF 2002509.exe, 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs TEKLIF 2002509.exe
          Source: TEKLIF 2002509.exe, 00000005.00000002.2270562283.0000000001037000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs TEKLIF 2002509.exe
          Source: TEKLIF 2002509.exe, 00000005.00000002.2270779723.00000000014B6000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs TEKLIF 2002509.exe
          Source: TEKLIF 2002509.exe, 00000005.00000002.2270562283.0000000001050000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs TEKLIF 2002509.exe
          Source: TEKLIF 2002509.exe, 00000005.00000002.2270946642.000000000168D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TEKLIF 2002509.exe
          Source: TEKLIF 2002509.exeBinary or memory string: OriginalFilenameOBGu.exe> vs TEKLIF 2002509.exe
          Source: TEKLIF 2002509.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2270725098.000000000146F000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: TEKLIF 2002509.exe PID: 3184, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: TEKLIF 2002509.exe PID: 5068, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
          Source: Process Memory Space: chkdsk.exe PID: 1816, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: TEKLIF 2002509.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, wCU9vxKnwQhdQeKf63.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, wCU9vxKnwQhdQeKf63.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, wCU9vxKnwQhdQeKf63.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, wCU9vxKnwQhdQeKf63.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, wCU9vxKnwQhdQeKf63.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, wCU9vxKnwQhdQeKf63.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, JM7O18raLdCsp0TT2f.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, JM7O18raLdCsp0TT2f.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, JM7O18raLdCsp0TT2f.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, JM7O18raLdCsp0TT2f.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@523/6@11/0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKLIF 2002509.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jglyexfm.d5r.ps1Jump to behavior
          Source: TEKLIF 2002509.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: TEKLIF 2002509.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: TEKLIF 2002509.exeReversingLabs: Detection: 73%
          Source: unknownProcess created: C:\Users\user\Desktop\TEKLIF 2002509.exe "C:\Users\user\Desktop\TEKLIF 2002509.exe"
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess created: C:\Users\user\Desktop\TEKLIF 2002509.exe "C:\Users\user\Desktop\TEKLIF 2002509.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TEKLIF 2002509.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess created: C:\Users\user\Desktop\TEKLIF 2002509.exe "C:\Users\user\Desktop\TEKLIF 2002509.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TEKLIF 2002509.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: ulib.dllJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: ifsutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: TEKLIF 2002509.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: TEKLIF 2002509.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: TEKLIF 2002509.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: OBGu.pdbSHA2561h source: TEKLIF 2002509.exe
          Source: Binary string: chkdsk.pdbGCTL source: TEKLIF 2002509.exe, 00000005.00000002.2270562283.0000000001037000.00000004.00000020.00020000.00000000.sdmp, TEKLIF 2002509.exe, 00000005.00000002.2270779723.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4600399976.0000000000C40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: OBGu.pdb source: TEKLIF 2002509.exe
          Source: Binary string: chkdsk.pdb source: TEKLIF 2002509.exe, 00000005.00000002.2270562283.0000000001037000.00000004.00000020.00020000.00000000.sdmp, TEKLIF 2002509.exe, 00000005.00000002.2270779723.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4600399976.0000000000C40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: TEKLIF 2002509.exe, 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2272873820.0000000005572000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2270790993.00000000053C6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: TEKLIF 2002509.exe, TEKLIF 2002509.exe, 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2272873820.0000000005572000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2270790993.00000000053C6000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: TEKLIF 2002509.exe, MainForm.cs.Net Code: InitializeComponent
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, wCU9vxKnwQhdQeKf63.cs.Net Code: kYVAevGp7n System.Reflection.Assembly.Load(byte[])
          Source: 0.2.TEKLIF 2002509.exe.2ad99b0.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
          Source: 0.2.TEKLIF 2002509.exe.2acc800.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, wCU9vxKnwQhdQeKf63.cs.Net Code: kYVAevGp7n System.Reflection.Assembly.Load(byte[])
          Source: 0.2.TEKLIF 2002509.exe.5410000.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
          Source: 6.2.explorer.exe.105af840.0.raw.unpack, MainForm.cs.Net Code: InitializeComponent
          Source: 7.2.chkdsk.exe.5c6f840.3.raw.unpack, MainForm.cs.Net Code: InitializeComponent
          Source: TEKLIF 2002509.exeStatic PE information: 0x90BE7A2C [Fri Dec 14 12:10:20 2046 UTC]
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 0_2_07A00F38 push FC05428Bh; iretd 0_2_07A00F45
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 0_2_07A004EB push ecx; ret 0_2_07A004EC
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041B863 push esi; iretd 5_2_0041B866
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_00416B15 push 560BADFBh; retf 5_2_00416B1A
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0040E44C push fs; iretd 5_2_0040E453
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041D4D2 push eax; ret 5_2_0041D4D8
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041D4DB push eax; ret 5_2_0041D542
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041D485 push eax; ret 5_2_0041D4D8
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0041D53C push eax; ret 5_2_0041D542
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015909AD push ecx; mov dword ptr [esp], ecx5_2_015909B6
          Source: C:\Windows\explorer.exeCode function: 6_2_0E0CDB02 push esp; retn 0000h6_2_0E0CDB03
          Source: C:\Windows\explorer.exeCode function: 6_2_0E0CDB1E push esp; retn 0000h6_2_0E0CDB1F
          Source: C:\Windows\explorer.exeCode function: 6_2_0E0CD9B5 push esp; retn 0000h6_2_0E0CDAE7
          Source: C:\Windows\explorer.exeCode function: 6_2_0E21BB02 push esp; retn 0000h6_2_0E21BB03
          Source: C:\Windows\explorer.exeCode function: 6_2_0E21BB1E push esp; retn 0000h6_2_0E21BB1F
          Source: C:\Windows\explorer.exeCode function: 6_2_0E21B9B5 push esp; retn 0000h6_2_0E21BAE7
          Source: C:\Windows\explorer.exeCode function: 6_2_0E3A2B1E push esp; retn 0000h6_2_0E3A2B1F
          Source: C:\Windows\explorer.exeCode function: 6_2_0E3A2B02 push esp; retn 0000h6_2_0E3A2B03
          Source: C:\Windows\explorer.exeCode function: 6_2_0E3A29B5 push esp; retn 0000h6_2_0E3A2AE7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_057509AD push ecx; mov dword ptr [esp], ecx7_2_057509B6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7D4D2 push eax; ret 7_2_04C7D4D8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7D4DB push eax; ret 7_2_04C7D542
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7D485 push eax; ret 7_2_04C7D4D8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C6E44C push fs; iretd 7_2_04C6E453
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7D53C push eax; ret 7_2_04C7D542
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C7B863 push esi; iretd 7_2_04C7B866
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_04C76B15 push 560BADFBh; retf 7_2_04C76B1A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0550E9B5 push esp; retn 0000h7_2_0550EAE7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0550EB1E push esp; retn 0000h7_2_0550EB1F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 7_2_0550EB02 push esp; retn 0000h7_2_0550EB03
          Source: TEKLIF 2002509.exeStatic PE information: section name: .text entropy: 7.8074983869733705
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, heQCqOCOAbT2gUwU8T.csHigh entropy of concatenated method names: 'BrE6CXyFYW', 'QJN6R4TwBL', 'Hvj6egGNIV', 'nd16YJSPHY', 'E9n6O0ZDJ2', 'w6b6KkD5Aj', 'Oms6g0XGiG', 'Jch6GRQIxn', 'dxw6FUWB9S', 'fCh6DSOZ0P'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, TDtukO6GfaUXhl2KOo.csHigh entropy of concatenated method names: 'Sr07XDI55B', 'QtU7jEUc8t', 'B1S7AGXXFF', 'XIu78AqWqq', 'Sh572uHCc6', 'M857SbiVNS', 'lwl7cA94mf', 'FYT090W2Is', 'iKZ0NVb8Yq', 'y0l0hdvoY9'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, ypRME2DH0KH6NXESPt.csHigh entropy of concatenated method names: 'BQT0TwqcX5', 'CAK0tSvT0b', 'vvL0dUaGm7', 'bCa03TqHHP', 'HQW0yAJyoD', 'cH60Mx6te4', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, QeDj08uv5Gyt8HZAr2q.csHigh entropy of concatenated method names: 'xp77CnW8lN', 'kyV7RadaYb', 'tGB7eFkuVy', 'z7I7YIUuYk', 'H1i7O7rsjg', 'n587KBbyen', 'kL97grEFaa', 'Lto7GJPX6n', 'm047FnEyii', 'IZK7DUx7q1'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, UXnH0fbaR81yZxE9m6.csHigh entropy of concatenated method names: 'Y6tej7BLG', 'GdrY93CYX', 'i7cKUYclH', 'DnQgtYgsa', 'qBOFgokEX', 'FXNDQ9aKy', 'd7YIe8ehyCgRUTpYfX', 'hiPvK05gq0jvJKVv0m', 'Tt60rplEb', 'AwlmnH5dR'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, Qy9rUWPyo7qf6AWgkP.csHigh entropy of concatenated method names: 'ikFvoswQLB', 'cXcvnXj6tm', 'ToString', 'iIfv8AVOEB', 'fnCv2fGtLi', 'NufvZYLXgQ', 'tJHvSxc8ny', 'SRovcy1J80', 'doLv6Kgna2', 'eljvEMB2X1'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, ywlHyox3VgNfgD8hfG.csHigh entropy of concatenated method names: 'YmrQGngwiC', 'hK2QFN8QUQ', 'M65QTB7BlH', 'nIEQtfgTJ4', 'hJCQ3WSEkG', 'iL1QMHg9UJ', 'qkLQxrZ9wb', 'bnjQ1LnsSx', 'd1KQUaqaVo', 'rjbQr9UpM3'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, VGRc9N4PfOyfPQ8fBe.csHigh entropy of concatenated method names: 'U37vNgGJO2', 'QElvaV5mBU', 'MDv04wddx4', 'lMI0XYDCD8', 'FfvvrQL0Ar', 'NBnvWX0kOX', 'xnBvw5N5qb', 'r2QvyjwA91', 'GkUvVpt9SE', 'jE3vByxJK3'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, qNgdCMuJtVgkUgx1iYT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MEHmyk3ydF', 'T5DmVKeXQU', 'Fw3mBDROZ4', 'b6xmbF87dS', 'I4YmijDe77', 'LeFmParLDi', 'dddm91xjHq'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, nXDjhnc6rpeKmEPU6W.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wF0Lhwx0xs', 'v3SLaE6txj', 'rW6LzW0m6q', 'qasj4qNcMT', 'GPbjX4qRJU', 'DRBjLHq36a', 'HkTjjANg83', 'ufowXSwKDB9GvrIXy2u'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, XO1rwv9tMAukoct4Me.csHigh entropy of concatenated method names: 'ToString', 'YUWkra1qHb', 'uRuktJcQTq', 'IcxkdQWvyQ', 'hTyk3Yw77B', 'DbckMq7EAp', 'DWFks6oXkt', 'R6Hkx2BdLs', 'm5bk17Bq6G', 'yVYku4Le5u'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, wCU9vxKnwQhdQeKf63.csHigh entropy of concatenated method names: 'ci4jqFa4tg', 'vXgj876sEA', 'cY7j2Ge4hR', 'xnLjZRprUv', 'JFXjS9b4Rq', 'w0sjcxBVqP', 'vD1j6121vR', 'GZSjETtD78', 'VaSjlfaSB9', 'XlnjoLJ0OH'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, FMRpxsMUdTJr0QpsDa.csHigh entropy of concatenated method names: 'aPF68fZDxo', 'T986ZKiT2A', 'soe6cTwkk2', 'jl3cakGEPO', 'RsDczMiZ2h', 'IcZ64x1bKF', 'k9C6XdpSyA', 'u226LwTTTQ', 'IAS6jCK1RA', 'nKC6AFY1eN'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, lfySkRXcXOQywbZCfq.csHigh entropy of concatenated method names: 'GDb08KCApM', 'GaK02TTsvg', 'VPR0ZRGkWt', 'fKK0SFY7c3', 'mZh0clex8x', 'zSl06oJjxk', 'jmp0E9OoiH', 'vZt0lTgKZA', 'knL0o8IIRA', 'zW30nq4QK2'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, IV6JtV2LRtdxPmJqYT.csHigh entropy of concatenated method names: 'MLnZYs97QX', 'C3lZKfrMdR', 'vy9ZG54Goa', 'EZPZFAxmjs', 't4ZZIHSQ86', 'gM2Zk2yWaj', 'cCWZvny3Hu', 'XAOZ02CdDD', 'fyNZ7AMvHn', 'XXXZm0sVJY'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, bE3eCyUm6riB2iwlt7.csHigh entropy of concatenated method names: 'cp8cqk947G', 'rApc2BrhEp', 'YGacSBWT4t', 'RB7c6PVrfi', 'PuccEgTgtY', 'qa2Si10oPP', 'bxMSP6WatX', 'IVuS9fHinS', 'tb7SNF3eY4', 'zZJShtEFny'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, dQ8buBsFPhIFtUaRGF.csHigh entropy of concatenated method names: 'Dispose', 'I3tXhhGGhP', 'rtiLtTy8q5', 'RVFffGYOwy', 'kcxXaB3cd7', 'xyAXzIfNlX', 'ProcessDialogKey', 'JH6L4ykyBa', 'z4ALXBdCCo', 'DcrLL3JsY5'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, JM7O18raLdCsp0TT2f.csHigh entropy of concatenated method names: 'vXS2yR0RLq', 'c2Q2VObuwS', 'A2g2BHiZUX', 'dqX2bIPiqe', 'J8U2iQAglH', 'XOV2PBhIJN', 'zh429vXtPK', 'wOw2N6DqyP', 'NNx2hCyR3R', 'xnU2aaWjfQ'
          Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, bYZGVsGsEIjObcNWh3.csHigh entropy of concatenated method names: 'l9YX6eutdN', 'E3vXEXMfKP', 'tSoXoX2jP2', 'EtRXn9Nmbi', 'qHnXI5nhrF', 'SCmXkLhpeR', 'wL8GYrsxZ29qqDDnVg', 'PDBMEoTSiJKjy11OVA', 'FVKbDEWqqa3d8flRxQ', 'KO7XXLXsqg'
          Source: 0.2.TEKLIF 2002509.exe.2ad99b0.0.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
          Source: 0.2.TEKLIF 2002509.exe.2ad99b0.0.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
          Source: 0.2.TEKLIF 2002509.exe.2acc800.1.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
          Source: 0.2.TEKLIF 2002509.exe.2acc800.1.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, heQCqOCOAbT2gUwU8T.csHigh entropy of concatenated method names: 'BrE6CXyFYW', 'QJN6R4TwBL', 'Hvj6egGNIV', 'nd16YJSPHY', 'E9n6O0ZDJ2', 'w6b6KkD5Aj', 'Oms6g0XGiG', 'Jch6GRQIxn', 'dxw6FUWB9S', 'fCh6DSOZ0P'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, TDtukO6GfaUXhl2KOo.csHigh entropy of concatenated method names: 'Sr07XDI55B', 'QtU7jEUc8t', 'B1S7AGXXFF', 'XIu78AqWqq', 'Sh572uHCc6', 'M857SbiVNS', 'lwl7cA94mf', 'FYT090W2Is', 'iKZ0NVb8Yq', 'y0l0hdvoY9'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, ypRME2DH0KH6NXESPt.csHigh entropy of concatenated method names: 'BQT0TwqcX5', 'CAK0tSvT0b', 'vvL0dUaGm7', 'bCa03TqHHP', 'HQW0yAJyoD', 'cH60Mx6te4', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, QeDj08uv5Gyt8HZAr2q.csHigh entropy of concatenated method names: 'xp77CnW8lN', 'kyV7RadaYb', 'tGB7eFkuVy', 'z7I7YIUuYk', 'H1i7O7rsjg', 'n587KBbyen', 'kL97grEFaa', 'Lto7GJPX6n', 'm047FnEyii', 'IZK7DUx7q1'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, UXnH0fbaR81yZxE9m6.csHigh entropy of concatenated method names: 'Y6tej7BLG', 'GdrY93CYX', 'i7cKUYclH', 'DnQgtYgsa', 'qBOFgokEX', 'FXNDQ9aKy', 'd7YIe8ehyCgRUTpYfX', 'hiPvK05gq0jvJKVv0m', 'Tt60rplEb', 'AwlmnH5dR'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, Qy9rUWPyo7qf6AWgkP.csHigh entropy of concatenated method names: 'ikFvoswQLB', 'cXcvnXj6tm', 'ToString', 'iIfv8AVOEB', 'fnCv2fGtLi', 'NufvZYLXgQ', 'tJHvSxc8ny', 'SRovcy1J80', 'doLv6Kgna2', 'eljvEMB2X1'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, ywlHyox3VgNfgD8hfG.csHigh entropy of concatenated method names: 'YmrQGngwiC', 'hK2QFN8QUQ', 'M65QTB7BlH', 'nIEQtfgTJ4', 'hJCQ3WSEkG', 'iL1QMHg9UJ', 'qkLQxrZ9wb', 'bnjQ1LnsSx', 'd1KQUaqaVo', 'rjbQr9UpM3'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, VGRc9N4PfOyfPQ8fBe.csHigh entropy of concatenated method names: 'U37vNgGJO2', 'QElvaV5mBU', 'MDv04wddx4', 'lMI0XYDCD8', 'FfvvrQL0Ar', 'NBnvWX0kOX', 'xnBvw5N5qb', 'r2QvyjwA91', 'GkUvVpt9SE', 'jE3vByxJK3'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, qNgdCMuJtVgkUgx1iYT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MEHmyk3ydF', 'T5DmVKeXQU', 'Fw3mBDROZ4', 'b6xmbF87dS', 'I4YmijDe77', 'LeFmParLDi', 'dddm91xjHq'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, nXDjhnc6rpeKmEPU6W.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wF0Lhwx0xs', 'v3SLaE6txj', 'rW6LzW0m6q', 'qasj4qNcMT', 'GPbjX4qRJU', 'DRBjLHq36a', 'HkTjjANg83', 'ufowXSwKDB9GvrIXy2u'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, XO1rwv9tMAukoct4Me.csHigh entropy of concatenated method names: 'ToString', 'YUWkra1qHb', 'uRuktJcQTq', 'IcxkdQWvyQ', 'hTyk3Yw77B', 'DbckMq7EAp', 'DWFks6oXkt', 'R6Hkx2BdLs', 'm5bk17Bq6G', 'yVYku4Le5u'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, wCU9vxKnwQhdQeKf63.csHigh entropy of concatenated method names: 'ci4jqFa4tg', 'vXgj876sEA', 'cY7j2Ge4hR', 'xnLjZRprUv', 'JFXjS9b4Rq', 'w0sjcxBVqP', 'vD1j6121vR', 'GZSjETtD78', 'VaSjlfaSB9', 'XlnjoLJ0OH'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, FMRpxsMUdTJr0QpsDa.csHigh entropy of concatenated method names: 'aPF68fZDxo', 'T986ZKiT2A', 'soe6cTwkk2', 'jl3cakGEPO', 'RsDczMiZ2h', 'IcZ64x1bKF', 'k9C6XdpSyA', 'u226LwTTTQ', 'IAS6jCK1RA', 'nKC6AFY1eN'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, lfySkRXcXOQywbZCfq.csHigh entropy of concatenated method names: 'GDb08KCApM', 'GaK02TTsvg', 'VPR0ZRGkWt', 'fKK0SFY7c3', 'mZh0clex8x', 'zSl06oJjxk', 'jmp0E9OoiH', 'vZt0lTgKZA', 'knL0o8IIRA', 'zW30nq4QK2'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, IV6JtV2LRtdxPmJqYT.csHigh entropy of concatenated method names: 'MLnZYs97QX', 'C3lZKfrMdR', 'vy9ZG54Goa', 'EZPZFAxmjs', 't4ZZIHSQ86', 'gM2Zk2yWaj', 'cCWZvny3Hu', 'XAOZ02CdDD', 'fyNZ7AMvHn', 'XXXZm0sVJY'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, bE3eCyUm6riB2iwlt7.csHigh entropy of concatenated method names: 'cp8cqk947G', 'rApc2BrhEp', 'YGacSBWT4t', 'RB7c6PVrfi', 'PuccEgTgtY', 'qa2Si10oPP', 'bxMSP6WatX', 'IVuS9fHinS', 'tb7SNF3eY4', 'zZJShtEFny'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, dQ8buBsFPhIFtUaRGF.csHigh entropy of concatenated method names: 'Dispose', 'I3tXhhGGhP', 'rtiLtTy8q5', 'RVFffGYOwy', 'kcxXaB3cd7', 'xyAXzIfNlX', 'ProcessDialogKey', 'JH6L4ykyBa', 'z4ALXBdCCo', 'DcrLL3JsY5'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, JM7O18raLdCsp0TT2f.csHigh entropy of concatenated method names: 'vXS2yR0RLq', 'c2Q2VObuwS', 'A2g2BHiZUX', 'dqX2bIPiqe', 'J8U2iQAglH', 'XOV2PBhIJN', 'zh429vXtPK', 'wOw2N6DqyP', 'NNx2hCyR3R', 'xnU2aaWjfQ'
          Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, bYZGVsGsEIjObcNWh3.csHigh entropy of concatenated method names: 'l9YX6eutdN', 'E3vXEXMfKP', 'tSoXoX2jP2', 'EtRXn9Nmbi', 'qHnXI5nhrF', 'SCmXkLhpeR', 'wL8GYrsxZ29qqDDnVg', 'PDBMEoTSiJKjy11OVA', 'FVKbDEWqqa3d8flRxQ', 'KO7XXLXsqg'
          Source: 0.2.TEKLIF 2002509.exe.5410000.3.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
          Source: 0.2.TEKLIF 2002509.exe.5410000.3.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: TEKLIF 2002509.exe PID: 3184, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeAPI/Special instruction interceptor: Address: 7FFDB4430774
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeAPI/Special instruction interceptor: Address: 7FFDB442D8A4
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI/Special instruction interceptor: Address: 7FFDB4430774
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI/Special instruction interceptor: Address: 7FFDB442D8A4
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 4C69904 second address: 4C6990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 4C69B7E second address: 4C69B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeMemory allocated: D40000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeMemory allocated: 2A40000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeMemory allocated: FE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeMemory allocated: 7B50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeMemory allocated: 8B50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeMemory allocated: 8D10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeMemory allocated: 9D10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6326Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3381Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9468Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 473Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 896Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeWindow / User API: threadDelayed 9798Jump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeAPI coverage: 1.7 %
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI coverage: 2.3 %
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exe TID: 1668Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5964Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1492Thread sleep count: 9468 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 1492Thread sleep time: -18936000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1492Thread sleep count: 473 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 1492Thread sleep time: -946000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 5972Thread sleep count: 172 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 5972Thread sleep time: -344000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 5972Thread sleep count: 9798 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 5972Thread sleep time: -19596000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
          Source: explorer.exe, 00000006.00000002.4614750288.00000000097F3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws
          Source: explorer.exe, 00000006.00000000.2161826176.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
          Source: explorer.exe, 00000006.00000002.4614750288.0000000009605000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: explorer.exe, 00000006.00000002.4603783392.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000002.4614750288.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000978C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000006.00000002.4603783392.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
          Source: explorer.exe, 00000006.00000002.4620500167.000000000C474000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 'me#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
          Source: explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000006.00000000.2161826176.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
          Source: explorer.exe, 00000006.00000002.4603783392.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000006.00000000.2161826176.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: explorer.exe, 00000006.00000002.4603783392.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0040ACF0 LdrLoadDll,5_2_0040ACF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01596154 mov eax, dword ptr fs:[00000030h]5_2_01596154
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01596154 mov eax, dword ptr fs:[00000030h]5_2_01596154
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158C156 mov eax, dword ptr fs:[00000030h]5_2_0158C156
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01624144 mov eax, dword ptr fs:[00000030h]5_2_01624144
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01624144 mov eax, dword ptr fs:[00000030h]5_2_01624144
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01624144 mov ecx, dword ptr fs:[00000030h]5_2_01624144
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01624144 mov eax, dword ptr fs:[00000030h]5_2_01624144
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01624144 mov eax, dword ptr fs:[00000030h]5_2_01624144
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01628158 mov eax, dword ptr fs:[00000030h]5_2_01628158
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01650115 mov eax, dword ptr fs:[00000030h]5_2_01650115
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C0124 mov eax, dword ptr fs:[00000030h]5_2_015C0124
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0163A118 mov ecx, dword ptr fs:[00000030h]5_2_0163A118
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0163A118 mov eax, dword ptr fs:[00000030h]5_2_0163A118
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0163A118 mov eax, dword ptr fs:[00000030h]5_2_0163A118
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0163A118 mov eax, dword ptr fs:[00000030h]5_2_0163A118
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016661E5 mov eax, dword ptr fs:[00000030h]5_2_016661E5
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C01F8 mov eax, dword ptr fs:[00000030h]5_2_015C01F8
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016561C3 mov eax, dword ptr fs:[00000030h]5_2_016561C3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016561C3 mov eax, dword ptr fs:[00000030h]5_2_016561C3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160E1D0 mov eax, dword ptr fs:[00000030h]5_2_0160E1D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160E1D0 mov eax, dword ptr fs:[00000030h]5_2_0160E1D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160E1D0 mov ecx, dword ptr fs:[00000030h]5_2_0160E1D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160E1D0 mov eax, dword ptr fs:[00000030h]5_2_0160E1D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160E1D0 mov eax, dword ptr fs:[00000030h]5_2_0160E1D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158A197 mov eax, dword ptr fs:[00000030h]5_2_0158A197
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158A197 mov eax, dword ptr fs:[00000030h]5_2_0158A197
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158A197 mov eax, dword ptr fs:[00000030h]5_2_0158A197
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D0185 mov eax, dword ptr fs:[00000030h]5_2_015D0185
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01634180 mov eax, dword ptr fs:[00000030h]5_2_01634180
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01634180 mov eax, dword ptr fs:[00000030h]5_2_01634180
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0164C188 mov eax, dword ptr fs:[00000030h]5_2_0164C188
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0164C188 mov eax, dword ptr fs:[00000030h]5_2_0164C188
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161019F mov eax, dword ptr fs:[00000030h]5_2_0161019F
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161019F mov eax, dword ptr fs:[00000030h]5_2_0161019F
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161019F mov eax, dword ptr fs:[00000030h]5_2_0161019F
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161019F mov eax, dword ptr fs:[00000030h]5_2_0161019F
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01592050 mov eax, dword ptr fs:[00000030h]5_2_01592050
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BC073 mov eax, dword ptr fs:[00000030h]5_2_015BC073
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01616050 mov eax, dword ptr fs:[00000030h]5_2_01616050
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AE016 mov eax, dword ptr fs:[00000030h]5_2_015AE016
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AE016 mov eax, dword ptr fs:[00000030h]5_2_015AE016
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AE016 mov eax, dword ptr fs:[00000030h]5_2_015AE016
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AE016 mov eax, dword ptr fs:[00000030h]5_2_015AE016
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01626030 mov eax, dword ptr fs:[00000030h]5_2_01626030
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01614000 mov ecx, dword ptr fs:[00000030h]5_2_01614000
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01632000 mov eax, dword ptr fs:[00000030h]5_2_01632000
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01632000 mov eax, dword ptr fs:[00000030h]5_2_01632000
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01632000 mov eax, dword ptr fs:[00000030h]5_2_01632000
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01632000 mov eax, dword ptr fs:[00000030h]5_2_01632000
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01632000 mov eax, dword ptr fs:[00000030h]5_2_01632000
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01632000 mov eax, dword ptr fs:[00000030h]5_2_01632000
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01632000 mov eax, dword ptr fs:[00000030h]5_2_01632000
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01632000 mov eax, dword ptr fs:[00000030h]5_2_01632000
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158A020 mov eax, dword ptr fs:[00000030h]5_2_0158A020
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158C020 mov eax, dword ptr fs:[00000030h]5_2_0158C020
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016160E0 mov eax, dword ptr fs:[00000030h]5_2_016160E0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158C0F0 mov eax, dword ptr fs:[00000030h]5_2_0158C0F0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D20F0 mov ecx, dword ptr fs:[00000030h]5_2_015D20F0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015980E9 mov eax, dword ptr fs:[00000030h]5_2_015980E9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158A0E3 mov ecx, dword ptr fs:[00000030h]5_2_0158A0E3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016120DE mov eax, dword ptr fs:[00000030h]5_2_016120DE
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016280A8 mov eax, dword ptr fs:[00000030h]5_2_016280A8
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159208A mov eax, dword ptr fs:[00000030h]5_2_0159208A
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016560B8 mov eax, dword ptr fs:[00000030h]5_2_016560B8
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016560B8 mov ecx, dword ptr fs:[00000030h]5_2_016560B8
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0163437C mov eax, dword ptr fs:[00000030h]5_2_0163437C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01612349 mov eax, dword ptr fs:[00000030h]5_2_01612349
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165A352 mov eax, dword ptr fs:[00000030h]5_2_0165A352
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161035C mov eax, dword ptr fs:[00000030h]5_2_0161035C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161035C mov eax, dword ptr fs:[00000030h]5_2_0161035C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161035C mov eax, dword ptr fs:[00000030h]5_2_0161035C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161035C mov ecx, dword ptr fs:[00000030h]5_2_0161035C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161035C mov eax, dword ptr fs:[00000030h]5_2_0161035C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161035C mov eax, dword ptr fs:[00000030h]5_2_0161035C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158C310 mov ecx, dword ptr fs:[00000030h]5_2_0158C310
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B0310 mov ecx, dword ptr fs:[00000030h]5_2_015B0310
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CA30B mov eax, dword ptr fs:[00000030h]5_2_015CA30B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CA30B mov eax, dword ptr fs:[00000030h]5_2_015CA30B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CA30B mov eax, dword ptr fs:[00000030h]5_2_015CA30B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A3C0 mov eax, dword ptr fs:[00000030h]5_2_0159A3C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A3C0 mov eax, dword ptr fs:[00000030h]5_2_0159A3C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A3C0 mov eax, dword ptr fs:[00000030h]5_2_0159A3C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A3C0 mov eax, dword ptr fs:[00000030h]5_2_0159A3C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A3C0 mov eax, dword ptr fs:[00000030h]5_2_0159A3C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A3C0 mov eax, dword ptr fs:[00000030h]5_2_0159A3C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015983C0 mov eax, dword ptr fs:[00000030h]5_2_015983C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015983C0 mov eax, dword ptr fs:[00000030h]5_2_015983C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015983C0 mov eax, dword ptr fs:[00000030h]5_2_015983C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015983C0 mov eax, dword ptr fs:[00000030h]5_2_015983C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016163C0 mov eax, dword ptr fs:[00000030h]5_2_016163C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C63FF mov eax, dword ptr fs:[00000030h]5_2_015C63FF
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0164C3CD mov eax, dword ptr fs:[00000030h]5_2_0164C3CD
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AE3F0 mov eax, dword ptr fs:[00000030h]5_2_015AE3F0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AE3F0 mov eax, dword ptr fs:[00000030h]5_2_015AE3F0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AE3F0 mov eax, dword ptr fs:[00000030h]5_2_015AE3F0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h]5_2_015A03E9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h]5_2_015A03E9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h]5_2_015A03E9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h]5_2_015A03E9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h]5_2_015A03E9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h]5_2_015A03E9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h]5_2_015A03E9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h]5_2_015A03E9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016343D4 mov eax, dword ptr fs:[00000030h]5_2_016343D4
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016343D4 mov eax, dword ptr fs:[00000030h]5_2_016343D4
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01588397 mov eax, dword ptr fs:[00000030h]5_2_01588397
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01588397 mov eax, dword ptr fs:[00000030h]5_2_01588397
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01588397 mov eax, dword ptr fs:[00000030h]5_2_01588397
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158E388 mov eax, dword ptr fs:[00000030h]5_2_0158E388
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158E388 mov eax, dword ptr fs:[00000030h]5_2_0158E388
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158E388 mov eax, dword ptr fs:[00000030h]5_2_0158E388
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B438F mov eax, dword ptr fs:[00000030h]5_2_015B438F
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B438F mov eax, dword ptr fs:[00000030h]5_2_015B438F
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01596259 mov eax, dword ptr fs:[00000030h]5_2_01596259
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158A250 mov eax, dword ptr fs:[00000030h]5_2_0158A250
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640274 mov eax, dword ptr fs:[00000030h]5_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640274 mov eax, dword ptr fs:[00000030h]5_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640274 mov eax, dword ptr fs:[00000030h]5_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640274 mov eax, dword ptr fs:[00000030h]5_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640274 mov eax, dword ptr fs:[00000030h]5_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640274 mov eax, dword ptr fs:[00000030h]5_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640274 mov eax, dword ptr fs:[00000030h]5_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640274 mov eax, dword ptr fs:[00000030h]5_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640274 mov eax, dword ptr fs:[00000030h]5_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640274 mov eax, dword ptr fs:[00000030h]5_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640274 mov eax, dword ptr fs:[00000030h]5_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01640274 mov eax, dword ptr fs:[00000030h]5_2_01640274
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01618243 mov eax, dword ptr fs:[00000030h]5_2_01618243
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01618243 mov ecx, dword ptr fs:[00000030h]5_2_01618243
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158826B mov eax, dword ptr fs:[00000030h]5_2_0158826B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01594260 mov eax, dword ptr fs:[00000030h]5_2_01594260
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01594260 mov eax, dword ptr fs:[00000030h]5_2_01594260
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01594260 mov eax, dword ptr fs:[00000030h]5_2_01594260
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158823B mov eax, dword ptr fs:[00000030h]5_2_0158823B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A2C3 mov eax, dword ptr fs:[00000030h]5_2_0159A2C3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A2C3 mov eax, dword ptr fs:[00000030h]5_2_0159A2C3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A2C3 mov eax, dword ptr fs:[00000030h]5_2_0159A2C3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A2C3 mov eax, dword ptr fs:[00000030h]5_2_0159A2C3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A2C3 mov eax, dword ptr fs:[00000030h]5_2_0159A2C3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A02E1 mov eax, dword ptr fs:[00000030h]5_2_015A02E1
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A02E1 mov eax, dword ptr fs:[00000030h]5_2_015A02E1
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A02E1 mov eax, dword ptr fs:[00000030h]5_2_015A02E1
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016262A0 mov eax, dword ptr fs:[00000030h]5_2_016262A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016262A0 mov ecx, dword ptr fs:[00000030h]5_2_016262A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016262A0 mov eax, dword ptr fs:[00000030h]5_2_016262A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016262A0 mov eax, dword ptr fs:[00000030h]5_2_016262A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016262A0 mov eax, dword ptr fs:[00000030h]5_2_016262A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016262A0 mov eax, dword ptr fs:[00000030h]5_2_016262A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE284 mov eax, dword ptr fs:[00000030h]5_2_015CE284
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE284 mov eax, dword ptr fs:[00000030h]5_2_015CE284
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01610283 mov eax, dword ptr fs:[00000030h]5_2_01610283
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01610283 mov eax, dword ptr fs:[00000030h]5_2_01610283
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01610283 mov eax, dword ptr fs:[00000030h]5_2_01610283
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598550 mov eax, dword ptr fs:[00000030h]5_2_01598550
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598550 mov eax, dword ptr fs:[00000030h]5_2_01598550
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C656A mov eax, dword ptr fs:[00000030h]5_2_015C656A
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C656A mov eax, dword ptr fs:[00000030h]5_2_015C656A
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C656A mov eax, dword ptr fs:[00000030h]5_2_015C656A
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01626500 mov eax, dword ptr fs:[00000030h]5_2_01626500
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE53E mov eax, dword ptr fs:[00000030h]5_2_015BE53E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE53E mov eax, dword ptr fs:[00000030h]5_2_015BE53E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE53E mov eax, dword ptr fs:[00000030h]5_2_015BE53E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE53E mov eax, dword ptr fs:[00000030h]5_2_015BE53E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE53E mov eax, dword ptr fs:[00000030h]5_2_015BE53E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01664500 mov eax, dword ptr fs:[00000030h]5_2_01664500
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01664500 mov eax, dword ptr fs:[00000030h]5_2_01664500
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01664500 mov eax, dword ptr fs:[00000030h]5_2_01664500
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01664500 mov eax, dword ptr fs:[00000030h]5_2_01664500
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01664500 mov eax, dword ptr fs:[00000030h]5_2_01664500
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01664500 mov eax, dword ptr fs:[00000030h]5_2_01664500
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01664500 mov eax, dword ptr fs:[00000030h]5_2_01664500
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0535 mov eax, dword ptr fs:[00000030h]5_2_015A0535
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0535 mov eax, dword ptr fs:[00000030h]5_2_015A0535
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0535 mov eax, dword ptr fs:[00000030h]5_2_015A0535
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0535 mov eax, dword ptr fs:[00000030h]5_2_015A0535
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0535 mov eax, dword ptr fs:[00000030h]5_2_015A0535
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0535 mov eax, dword ptr fs:[00000030h]5_2_015A0535
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015965D0 mov eax, dword ptr fs:[00000030h]5_2_015965D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CA5D0 mov eax, dword ptr fs:[00000030h]5_2_015CA5D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CA5D0 mov eax, dword ptr fs:[00000030h]5_2_015CA5D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE5CF mov eax, dword ptr fs:[00000030h]5_2_015CE5CF
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE5CF mov eax, dword ptr fs:[00000030h]5_2_015CE5CF
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CC5ED mov eax, dword ptr fs:[00000030h]5_2_015CC5ED
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CC5ED mov eax, dword ptr fs:[00000030h]5_2_015CC5ED
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015925E0 mov eax, dword ptr fs:[00000030h]5_2_015925E0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h]5_2_015BE5E7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h]5_2_015BE5E7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h]5_2_015BE5E7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h]5_2_015BE5E7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h]5_2_015BE5E7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h]5_2_015BE5E7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h]5_2_015BE5E7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h]5_2_015BE5E7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE59C mov eax, dword ptr fs:[00000030h]5_2_015CE59C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016105A7 mov eax, dword ptr fs:[00000030h]5_2_016105A7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016105A7 mov eax, dword ptr fs:[00000030h]5_2_016105A7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016105A7 mov eax, dword ptr fs:[00000030h]5_2_016105A7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C4588 mov eax, dword ptr fs:[00000030h]5_2_015C4588
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01592582 mov eax, dword ptr fs:[00000030h]5_2_01592582
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01592582 mov ecx, dword ptr fs:[00000030h]5_2_01592582
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B45B1 mov eax, dword ptr fs:[00000030h]5_2_015B45B1
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B45B1 mov eax, dword ptr fs:[00000030h]5_2_015B45B1
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B245A mov eax, dword ptr fs:[00000030h]5_2_015B245A
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161C460 mov ecx, dword ptr fs:[00000030h]5_2_0161C460
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158645D mov eax, dword ptr fs:[00000030h]5_2_0158645D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h]5_2_015CE443
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h]5_2_015CE443
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h]5_2_015CE443
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h]5_2_015CE443
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h]5_2_015CE443
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h]5_2_015CE443
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h]5_2_015CE443
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h]5_2_015CE443
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BA470 mov eax, dword ptr fs:[00000030h]5_2_015BA470
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BA470 mov eax, dword ptr fs:[00000030h]5_2_015BA470
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BA470 mov eax, dword ptr fs:[00000030h]5_2_015BA470
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01616420 mov eax, dword ptr fs:[00000030h]5_2_01616420
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01616420 mov eax, dword ptr fs:[00000030h]5_2_01616420
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01616420 mov eax, dword ptr fs:[00000030h]5_2_01616420
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01616420 mov eax, dword ptr fs:[00000030h]5_2_01616420
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01616420 mov eax, dword ptr fs:[00000030h]5_2_01616420
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01616420 mov eax, dword ptr fs:[00000030h]5_2_01616420
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01616420 mov eax, dword ptr fs:[00000030h]5_2_01616420
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C8402 mov eax, dword ptr fs:[00000030h]5_2_015C8402
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C8402 mov eax, dword ptr fs:[00000030h]5_2_015C8402
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C8402 mov eax, dword ptr fs:[00000030h]5_2_015C8402
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CA430 mov eax, dword ptr fs:[00000030h]5_2_015CA430
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158E420 mov eax, dword ptr fs:[00000030h]5_2_0158E420
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158E420 mov eax, dword ptr fs:[00000030h]5_2_0158E420
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158E420 mov eax, dword ptr fs:[00000030h]5_2_0158E420
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158C427 mov eax, dword ptr fs:[00000030h]5_2_0158C427
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015904E5 mov ecx, dword ptr fs:[00000030h]5_2_015904E5
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161A4B0 mov eax, dword ptr fs:[00000030h]5_2_0161A4B0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C44B0 mov ecx, dword ptr fs:[00000030h]5_2_015C44B0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015964AB mov eax, dword ptr fs:[00000030h]5_2_015964AB
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01590750 mov eax, dword ptr fs:[00000030h]5_2_01590750
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2750 mov eax, dword ptr fs:[00000030h]5_2_015D2750
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2750 mov eax, dword ptr fs:[00000030h]5_2_015D2750
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C674D mov esi, dword ptr fs:[00000030h]5_2_015C674D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C674D mov eax, dword ptr fs:[00000030h]5_2_015C674D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C674D mov eax, dword ptr fs:[00000030h]5_2_015C674D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598770 mov eax, dword ptr fs:[00000030h]5_2_01598770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h]5_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h]5_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h]5_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h]5_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h]5_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h]5_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h]5_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h]5_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h]5_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h]5_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h]5_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h]5_2_015A0770
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01614755 mov eax, dword ptr fs:[00000030h]5_2_01614755
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161E75D mov eax, dword ptr fs:[00000030h]5_2_0161E75D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01590710 mov eax, dword ptr fs:[00000030h]5_2_01590710
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C0710 mov eax, dword ptr fs:[00000030h]5_2_015C0710
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160C730 mov eax, dword ptr fs:[00000030h]5_2_0160C730
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CC700 mov eax, dword ptr fs:[00000030h]5_2_015CC700
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C273C mov eax, dword ptr fs:[00000030h]5_2_015C273C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C273C mov ecx, dword ptr fs:[00000030h]5_2_015C273C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C273C mov eax, dword ptr fs:[00000030h]5_2_015C273C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CC720 mov eax, dword ptr fs:[00000030h]5_2_015CC720
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CC720 mov eax, dword ptr fs:[00000030h]5_2_015CC720
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161E7E1 mov eax, dword ptr fs:[00000030h]5_2_0161E7E1
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159C7C0 mov eax, dword ptr fs:[00000030h]5_2_0159C7C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016107C3 mov eax, dword ptr fs:[00000030h]5_2_016107C3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015947FB mov eax, dword ptr fs:[00000030h]5_2_015947FB
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015947FB mov eax, dword ptr fs:[00000030h]5_2_015947FB
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B27ED mov eax, dword ptr fs:[00000030h]5_2_015B27ED
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B27ED mov eax, dword ptr fs:[00000030h]5_2_015B27ED
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B27ED mov eax, dword ptr fs:[00000030h]5_2_015B27ED
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0163678E mov eax, dword ptr fs:[00000030h]5_2_0163678E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015907AF mov eax, dword ptr fs:[00000030h]5_2_015907AF
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165866E mov eax, dword ptr fs:[00000030h]5_2_0165866E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165866E mov eax, dword ptr fs:[00000030h]5_2_0165866E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AC640 mov eax, dword ptr fs:[00000030h]5_2_015AC640
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C2674 mov eax, dword ptr fs:[00000030h]5_2_015C2674
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CA660 mov eax, dword ptr fs:[00000030h]5_2_015CA660
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CA660 mov eax, dword ptr fs:[00000030h]5_2_015CA660
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D2619 mov eax, dword ptr fs:[00000030h]5_2_015D2619
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A260B mov eax, dword ptr fs:[00000030h]5_2_015A260B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A260B mov eax, dword ptr fs:[00000030h]5_2_015A260B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A260B mov eax, dword ptr fs:[00000030h]5_2_015A260B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A260B mov eax, dword ptr fs:[00000030h]5_2_015A260B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A260B mov eax, dword ptr fs:[00000030h]5_2_015A260B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A260B mov eax, dword ptr fs:[00000030h]5_2_015A260B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A260B mov eax, dword ptr fs:[00000030h]5_2_015A260B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160E609 mov eax, dword ptr fs:[00000030h]5_2_0160E609
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159262C mov eax, dword ptr fs:[00000030h]5_2_0159262C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C6620 mov eax, dword ptr fs:[00000030h]5_2_015C6620
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C8620 mov eax, dword ptr fs:[00000030h]5_2_015C8620
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AE627 mov eax, dword ptr fs:[00000030h]5_2_015AE627
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016106F1 mov eax, dword ptr fs:[00000030h]5_2_016106F1
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016106F1 mov eax, dword ptr fs:[00000030h]5_2_016106F1
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160E6F2 mov eax, dword ptr fs:[00000030h]5_2_0160E6F2
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160E6F2 mov eax, dword ptr fs:[00000030h]5_2_0160E6F2
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160E6F2 mov eax, dword ptr fs:[00000030h]5_2_0160E6F2
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160E6F2 mov eax, dword ptr fs:[00000030h]5_2_0160E6F2
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CA6C7 mov ebx, dword ptr fs:[00000030h]5_2_015CA6C7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CA6C7 mov eax, dword ptr fs:[00000030h]5_2_015CA6C7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01594690 mov eax, dword ptr fs:[00000030h]5_2_01594690
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01594690 mov eax, dword ptr fs:[00000030h]5_2_01594690
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C66B0 mov eax, dword ptr fs:[00000030h]5_2_015C66B0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CC6A6 mov eax, dword ptr fs:[00000030h]5_2_015CC6A6
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01634978 mov eax, dword ptr fs:[00000030h]5_2_01634978
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01634978 mov eax, dword ptr fs:[00000030h]5_2_01634978
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161C97C mov eax, dword ptr fs:[00000030h]5_2_0161C97C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01610946 mov eax, dword ptr fs:[00000030h]5_2_01610946
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D096E mov eax, dword ptr fs:[00000030h]5_2_015D096E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D096E mov edx, dword ptr fs:[00000030h]5_2_015D096E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015D096E mov eax, dword ptr fs:[00000030h]5_2_015D096E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B6962 mov eax, dword ptr fs:[00000030h]5_2_015B6962
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B6962 mov eax, dword ptr fs:[00000030h]5_2_015B6962
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B6962 mov eax, dword ptr fs:[00000030h]5_2_015B6962
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01588918 mov eax, dword ptr fs:[00000030h]5_2_01588918
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01588918 mov eax, dword ptr fs:[00000030h]5_2_01588918
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0162892B mov eax, dword ptr fs:[00000030h]5_2_0162892B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161892A mov eax, dword ptr fs:[00000030h]5_2_0161892A
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160E908 mov eax, dword ptr fs:[00000030h]5_2_0160E908
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160E908 mov eax, dword ptr fs:[00000030h]5_2_0160E908
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161C912 mov eax, dword ptr fs:[00000030h]5_2_0161C912
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161E9E0 mov eax, dword ptr fs:[00000030h]5_2_0161E9E0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A9D0 mov eax, dword ptr fs:[00000030h]5_2_0159A9D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A9D0 mov eax, dword ptr fs:[00000030h]5_2_0159A9D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A9D0 mov eax, dword ptr fs:[00000030h]5_2_0159A9D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A9D0 mov eax, dword ptr fs:[00000030h]5_2_0159A9D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A9D0 mov eax, dword ptr fs:[00000030h]5_2_0159A9D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159A9D0 mov eax, dword ptr fs:[00000030h]5_2_0159A9D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C49D0 mov eax, dword ptr fs:[00000030h]5_2_015C49D0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016269C0 mov eax, dword ptr fs:[00000030h]5_2_016269C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C29F9 mov eax, dword ptr fs:[00000030h]5_2_015C29F9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C29F9 mov eax, dword ptr fs:[00000030h]5_2_015C29F9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165A9D3 mov eax, dword ptr fs:[00000030h]5_2_0165A9D3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016189B3 mov esi, dword ptr fs:[00000030h]5_2_016189B3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016189B3 mov eax, dword ptr fs:[00000030h]5_2_016189B3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_016189B3 mov eax, dword ptr fs:[00000030h]5_2_016189B3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015909AD mov eax, dword ptr fs:[00000030h]5_2_015909AD
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015909AD mov eax, dword ptr fs:[00000030h]5_2_015909AD
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h]5_2_015A29A0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01594859 mov eax, dword ptr fs:[00000030h]5_2_01594859
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01594859 mov eax, dword ptr fs:[00000030h]5_2_01594859
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C0854 mov eax, dword ptr fs:[00000030h]5_2_015C0854
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01626870 mov eax, dword ptr fs:[00000030h]5_2_01626870
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01626870 mov eax, dword ptr fs:[00000030h]5_2_01626870
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161E872 mov eax, dword ptr fs:[00000030h]5_2_0161E872
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161E872 mov eax, dword ptr fs:[00000030h]5_2_0161E872
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A2840 mov ecx, dword ptr fs:[00000030h]5_2_015A2840
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0163483A mov eax, dword ptr fs:[00000030h]5_2_0163483A
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0163483A mov eax, dword ptr fs:[00000030h]5_2_0163483A
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CA830 mov eax, dword ptr fs:[00000030h]5_2_015CA830
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B2835 mov eax, dword ptr fs:[00000030h]5_2_015B2835
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B2835 mov eax, dword ptr fs:[00000030h]5_2_015B2835
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B2835 mov eax, dword ptr fs:[00000030h]5_2_015B2835
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B2835 mov ecx, dword ptr fs:[00000030h]5_2_015B2835
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B2835 mov eax, dword ptr fs:[00000030h]5_2_015B2835
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B2835 mov eax, dword ptr fs:[00000030h]5_2_015B2835
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161C810 mov eax, dword ptr fs:[00000030h]5_2_0161C810
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165A8E4 mov eax, dword ptr fs:[00000030h]5_2_0165A8E4
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BE8C0 mov eax, dword ptr fs:[00000030h]5_2_015BE8C0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CC8F9 mov eax, dword ptr fs:[00000030h]5_2_015CC8F9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CC8F9 mov eax, dword ptr fs:[00000030h]5_2_015CC8F9
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01590887 mov eax, dword ptr fs:[00000030h]5_2_01590887
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161C89D mov eax, dword ptr fs:[00000030h]5_2_0161C89D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01638B42 mov eax, dword ptr fs:[00000030h]5_2_01638B42
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01626B40 mov eax, dword ptr fs:[00000030h]5_2_01626B40
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01626B40 mov eax, dword ptr fs:[00000030h]5_2_01626B40
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0165AB40 mov eax, dword ptr fs:[00000030h]5_2_0165AB40
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158CB7E mov eax, dword ptr fs:[00000030h]5_2_0158CB7E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01658B28 mov eax, dword ptr fs:[00000030h]5_2_01658B28
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01658B28 mov eax, dword ptr fs:[00000030h]5_2_01658B28
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BEB20 mov eax, dword ptr fs:[00000030h]5_2_015BEB20
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BEB20 mov eax, dword ptr fs:[00000030h]5_2_015BEB20
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h]5_2_0160EB1D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h]5_2_0160EB1D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h]5_2_0160EB1D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h]5_2_0160EB1D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h]5_2_0160EB1D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h]5_2_0160EB1D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h]5_2_0160EB1D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h]5_2_0160EB1D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h]5_2_0160EB1D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B0BCB mov eax, dword ptr fs:[00000030h]5_2_015B0BCB
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B0BCB mov eax, dword ptr fs:[00000030h]5_2_015B0BCB
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B0BCB mov eax, dword ptr fs:[00000030h]5_2_015B0BCB
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161CBF0 mov eax, dword ptr fs:[00000030h]5_2_0161CBF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01590BCD mov eax, dword ptr fs:[00000030h]5_2_01590BCD
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01590BCD mov eax, dword ptr fs:[00000030h]5_2_01590BCD
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01590BCD mov eax, dword ptr fs:[00000030h]5_2_01590BCD
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BEBFC mov eax, dword ptr fs:[00000030h]5_2_015BEBFC
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598BF0 mov eax, dword ptr fs:[00000030h]5_2_01598BF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598BF0 mov eax, dword ptr fs:[00000030h]5_2_01598BF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598BF0 mov eax, dword ptr fs:[00000030h]5_2_01598BF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0163EBD0 mov eax, dword ptr fs:[00000030h]5_2_0163EBD0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0BBE mov eax, dword ptr fs:[00000030h]5_2_015A0BBE
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0BBE mov eax, dword ptr fs:[00000030h]5_2_015A0BBE
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0A5B mov eax, dword ptr fs:[00000030h]5_2_015A0A5B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015A0A5B mov eax, dword ptr fs:[00000030h]5_2_015A0A5B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h]5_2_01596A50
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h]5_2_01596A50
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h]5_2_01596A50
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h]5_2_01596A50
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h]5_2_01596A50
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h]5_2_01596A50
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h]5_2_01596A50
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160CA72 mov eax, dword ptr fs:[00000030h]5_2_0160CA72
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0160CA72 mov eax, dword ptr fs:[00000030h]5_2_0160CA72
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CCA6F mov eax, dword ptr fs:[00000030h]5_2_015CCA6F
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CCA6F mov eax, dword ptr fs:[00000030h]5_2_015CCA6F
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CCA6F mov eax, dword ptr fs:[00000030h]5_2_015CCA6F
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CCA38 mov eax, dword ptr fs:[00000030h]5_2_015CCA38
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B4A35 mov eax, dword ptr fs:[00000030h]5_2_015B4A35
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015B4A35 mov eax, dword ptr fs:[00000030h]5_2_015B4A35
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0161CA11 mov eax, dword ptr fs:[00000030h]5_2_0161CA11
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BEA2E mov eax, dword ptr fs:[00000030h]5_2_015BEA2E
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CCA24 mov eax, dword ptr fs:[00000030h]5_2_015CCA24
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01590AD0 mov eax, dword ptr fs:[00000030h]5_2_01590AD0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C4AD0 mov eax, dword ptr fs:[00000030h]5_2_015C4AD0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C4AD0 mov eax, dword ptr fs:[00000030h]5_2_015C4AD0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015E6ACC mov eax, dword ptr fs:[00000030h]5_2_015E6ACC
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015E6ACC mov eax, dword ptr fs:[00000030h]5_2_015E6ACC
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015E6ACC mov eax, dword ptr fs:[00000030h]5_2_015E6ACC
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CAAEE mov eax, dword ptr fs:[00000030h]5_2_015CAAEE
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015CAAEE mov eax, dword ptr fs:[00000030h]5_2_015CAAEE
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C8A90 mov edx, dword ptr fs:[00000030h]5_2_015C8A90
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h]5_2_0159EA80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h]5_2_0159EA80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h]5_2_0159EA80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h]5_2_0159EA80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h]5_2_0159EA80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h]5_2_0159EA80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h]5_2_0159EA80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h]5_2_0159EA80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h]5_2_0159EA80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01664A80 mov eax, dword ptr fs:[00000030h]5_2_01664A80
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598AA0 mov eax, dword ptr fs:[00000030h]5_2_01598AA0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598AA0 mov eax, dword ptr fs:[00000030h]5_2_01598AA0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015E6AA4 mov eax, dword ptr fs:[00000030h]5_2_015E6AA4
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01590D59 mov eax, dword ptr fs:[00000030h]5_2_01590D59
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01590D59 mov eax, dword ptr fs:[00000030h]5_2_01590D59
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01590D59 mov eax, dword ptr fs:[00000030h]5_2_01590D59
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598D59 mov eax, dword ptr fs:[00000030h]5_2_01598D59
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598D59 mov eax, dword ptr fs:[00000030h]5_2_01598D59
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598D59 mov eax, dword ptr fs:[00000030h]5_2_01598D59
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598D59 mov eax, dword ptr fs:[00000030h]5_2_01598D59
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01598D59 mov eax, dword ptr fs:[00000030h]5_2_01598D59
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01628D6B mov eax, dword ptr fs:[00000030h]5_2_01628D6B
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015C4D1D mov eax, dword ptr fs:[00000030h]5_2_015C4D1D
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01618D20 mov eax, dword ptr fs:[00000030h]5_2_01618D20
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01586D10 mov eax, dword ptr fs:[00000030h]5_2_01586D10
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01586D10 mov eax, dword ptr fs:[00000030h]5_2_01586D10
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01586D10 mov eax, dword ptr fs:[00000030h]5_2_01586D10
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AAD00 mov eax, dword ptr fs:[00000030h]5_2_015AAD00
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AAD00 mov eax, dword ptr fs:[00000030h]5_2_015AAD00
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015AAD00 mov eax, dword ptr fs:[00000030h]5_2_015AAD00
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01648D10 mov eax, dword ptr fs:[00000030h]5_2_01648D10
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01648D10 mov eax, dword ptr fs:[00000030h]5_2_01648D10
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BEDD3 mov eax, dword ptr fs:[00000030h]5_2_015BEDD3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BEDD3 mov eax, dword ptr fs:[00000030h]5_2_015BEDD3
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01630DF0 mov eax, dword ptr fs:[00000030h]5_2_01630DF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01630DF0 mov eax, dword ptr fs:[00000030h]5_2_01630DF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BCDF0 mov eax, dword ptr fs:[00000030h]5_2_015BCDF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_015BCDF0 mov ecx, dword ptr fs:[00000030h]5_2_015BCDF0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01586DF6 mov eax, dword ptr fs:[00000030h]5_2_01586DF6
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158CDEA mov eax, dword ptr fs:[00000030h]5_2_0158CDEA
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0158CDEA mov eax, dword ptr fs:[00000030h]5_2_0158CDEA
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01614DD7 mov eax, dword ptr fs:[00000030h]5_2_01614DD7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_01614DD7 mov eax, dword ptr fs:[00000030h]5_2_01614DD7
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159ADE0 mov eax, dword ptr fs:[00000030h]5_2_0159ADE0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159ADE0 mov eax, dword ptr fs:[00000030h]5_2_0159ADE0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159ADE0 mov eax, dword ptr fs:[00000030h]5_2_0159ADE0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159ADE0 mov eax, dword ptr fs:[00000030h]5_2_0159ADE0
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeCode function: 5_2_0159ADE0 mov eax, dword ptr fs:[00000030h]5_2_0159ADE0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe"
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe"Jump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeNtClose: Indirect: 0x150A56C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeNtClose: Indirect: 0x154A56C
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeNtQueueApcThread: Indirect: 0x150A4F2Jump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeNtQueueApcThread: Indirect: 0x154A4F2Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeMemory written: C:\Users\user\Desktop\TEKLIF 2002509.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeThread register set: target process: 4004Jump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeThread register set: target process: 4004Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 4004Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: C40000Jump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeProcess created: C:\Users\user\Desktop\TEKLIF 2002509.exe "C:\Users\user\Desktop\TEKLIF 2002509.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TEKLIF 2002509.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000002.4608698873.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2148805570.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
          Source: explorer.exe, 00000006.00000000.2151899758.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4608698873.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2148805570.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000002.4608698873.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2148805570.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000002.4603783392.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2148161605.0000000000D69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +Progman
          Source: explorer.exe, 00000006.00000002.4608698873.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2148805570.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000003.2979331163.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2161826176.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd31A
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeQueries volume information: C:\Users\user\Desktop\TEKLIF 2002509.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKLIF 2002509.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		512
          Process Injection          		1
          Masquerading          		OS Credential Dumping221
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          Abuse Elevation Control Mechanism          		11
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		41
          Virtualization/Sandbox Evasion          		Security Account Manager41
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive11
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook512
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Abuse Elevation Control Mechanism          		Cached Domain Credentials212
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Obfuscated Files or Information          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
          Software Packing          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Timestomp          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          DLL Side-Loading          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520407 Sample: TEKLIF 2002509.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 33 www.uhtwister.cloud 2->33 35 www.sicologosportugueses.online 2->35 37 9 other IPs or domains 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 11 other signatures 2->45 11 TEKLIF 2002509.exe 4 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\TEKLIF 2002509.exe.log, ASCII 11->31 dropped 55 Adds a directory exclusion to Windows Defender 11->55 57 Injects a PE file into a foreign processes 11->57 15 TEKLIF 2002509.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 67 2 other signatures 15->67 20 explorer.exe 62 1 15->20 injected 65 Loading BitLocker PowerShell Module 18->65 22 conhost.exe 18->22         started        process9 process10 24 chkdsk.exe 20->24         started        signatures11 47 Modifies the context of a thread in another process (thread injection) 24->47 49 Maps a DLL or memory area into another process 24->49 51 Tries to detect virtualization through RDTSC time measurements 24->51 53 Switches to a custom stack to bypass stack traces 24->53 27 cmd.exe 1 24->27         started        process12 process13 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          TEKLIF 2002509.exe74%ReversingLabsWin32.Backdoor.FormBook
          TEKLIF 2002509.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://api.msn.com/0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.uhtwister.cloud
          		unknown
          		unknowntrue
            		unknown
            www.avada-casino-tlj.buzz
            		unknown
            		unknowntrue
              		unknown
              www.sicologosportugueses.online
              		unknown
              		unknowntrue
                		unknown
                www.akemoneyonline.bond
                		unknown
                		unknowntrue
                  		unknown
                  www.mberbreeze.cyou
                  		unknown
                  		unknowntrue
                    		unknown
                    www.ffpage.shop
                    		unknown
                    		unknowntrue
                      		unknown
                      www.ewferg.top
                      		unknown
                      		unknowntrue
                        		unknown
                        www.nline-degree-6987776.world
                        		unknown
                        		unknowntrue
                          		unknown
                          www.nfluencer-marketing-17923.bond
                          		unknown
                          		unknowntrue
                            		unknown
                            www.obs-for-seniors-39582.bond
                            		unknown
                            		unknowntrue
                              		unknown
                              www.8009.top
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                www.avada-casino-tlj.buzz/bc01/true
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.uhtwister.cloudexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.ffpage.shop/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngFexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.8009.topexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.ractors-42621.bond/bc01/www.torygame168.onlineexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://word.office.comMexplorer.exe, 00000006.00000002.4618097457.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075352059.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2985609705.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2165698590.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.akemoneyonline.bondexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.ewferg.top/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.obs-for-seniors-39582.bondexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.sicologosportugueses.online/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.lkjuy.xyz/bc01/www.sicologosportugueses.onlineexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.mberbreeze.cyouexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://wns.windows.com/eexplorer.exe, 00000006.00000002.4614750288.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2161826176.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979331163.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTEKLIF 2002509.exe, 00000000.00000002.2149822978.0000000002A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.lkjuy.xyzReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.akemoneyonline.bondReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.torygame168.online/bc01/explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.torygame168.onlineexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.lkjuy.xyzexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&ocexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.ewferg.topReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.torygame168.onlineReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.ffpage.shopReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.sicologosportugueses.onlineexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.nline-degree-6987776.worldexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://android.notify.windows.com/iOSexplorer.exe, 00000006.00000002.4618097457.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2165698590.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://outlook.comeexplorer.exe, 00000006.00000002.4618097457.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075352059.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2985609705.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2165698590.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000006.00000002.4614750288.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2161826176.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979331163.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.nfluencer-marketing-17923.bondReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.mberbreeze.cyouReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.ffpage.shop/bc01/www.mberbreeze.cyouexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://www.mberbreeze.cyou/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.ractors-42621.bond/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://www.akemoneyonline.bond/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://api.msn.com/Iexplorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://www.epatitis-treatment-26155.bondexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.akemoneyonline.bond/bc01/www.lkjuy.xyzexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.avada-casino-tlj.buzz/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.lkjuy.xyz/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.ractors-42621.bondReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.uhtwister.cloudReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://schemas.microexplorer.exe, 00000006.00000002.4609091546.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2156332726.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4613506646.0000000007B60000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://www.mberbreeze.cyou/bc01/www.obs-for-seniors-39582.bondexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://www.ewferg.top/bc01/www.epatitis-treatment-26155.bondexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.8009.top/bc01/www.nfluencer-marketing-17923.bondexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.uhtwister.cloud/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.uhtwister.cloud/bc01/www.akemoneyonline.bondexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://www.obs-for-seniors-39582.bond/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.ealthandwellnessly.digitalReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://www.epatitis-treatment-26155.bond/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://www.nfluencer-marketing-17923.bondexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://www.nline-degree-6987776.world/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.ealthandwellnessly.digital/bc01/www.ractors-42621.bondexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-hexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.8009.topReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-quexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.nline-degree-6987776.worldReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.obs-for-seniors-39582.bond/bc01/www.uhtwister.cloudexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.nline-degree-6987776.world/bc01/www.8009.topexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://www.ewferg.topexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhzexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://excel.office.com-explorer.exe, 00000006.00000002.4618097457.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075352059.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2985609705.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2165698590.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://www.nfluencer-marketing-17923.bond/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://www.8009.top/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://www.epatitis-treatment-26155.bondReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://www.ealthandwellnessly.digital/bc01/explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgexplorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-darkexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AAexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://www.sicologosportugueses.online/bc01/www.avada-casino-tlj.buzzexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://www.ffpage.shopexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-cexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reveexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://www.avada-casino-tlj.buzz/bc01/www.nline-degree-6987776.worldexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://www.avada-casino-tlj.buzzReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://www.nfluencer-marketing-17923.bond/bc01/www.ewferg.topexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://www.torygame168.online/bc01/_explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  https://powerpoint.office.comEMdexplorer.exe, 00000006.00000000.2165698590.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4618097457.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://www.epatitis-treatment-26155.bond/bc01/www.ealthandwellnessly.digitalexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://www.ealthandwellnessly.digitalexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nationexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://www.ractors-42621.bondexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://www.avada-casino-tlj.buzzexplorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              https://api.msn.com/explorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://www.obs-for-seniors-39582.bondReferer:explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                https://www.msn.com:443/en-us/feedexplorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		unknown

                                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                                    No contacted IP infos

                                                                                                                                                                                                                    General Information

                                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                    Analysis ID:1520407
                                                                                                                                                                                                                    Start date and time:2024-09-27 10:42:38 +02:00
                                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                    Overall analysis duration:0h 11m 14s
                                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                    Number of analysed new started processes analysed:14
                                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                                    Number of injected processes analysed:1
                                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                                    Sample name:TEKLIF 2002509.exe
                                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                                    Classification:mal100.troj.evad.winEXE@523/6@11/0
                                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                    • Number of executed functions: 115
                                                                                                                                                                                                                    • Number of non-executed functions: 314
                                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                    • VT rate limit hit for: TEKLIF 2002509.exe

                                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                                    04:43:29API Interceptor1x Sleep call for process: TEKLIF 2002509.exe modified
                                                                                                                                                                                                                    04:43:31API Interceptor11x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                    04:43:45API Interceptor8253186x Sleep call for process: explorer.exe modified
                                                                                                                                                                                                                    04:44:20API Interceptor7217928x Sleep call for process: chkdsk.exe modified

                                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                                    IPs

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKLIF 2002509.exe.log

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\TEKLIF 2002509.exe
                                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1216
                                                                                                                                                                                                                    Entropy (8bit):5.34331486778365
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1172
                                                                                                                                                                                                                    Entropy (8bit):5.356731422178564
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:24:3CytZWSKco4KmZjKbmOIKod6emN1s4RPQoU99t7J0gt/NKIl9iagu:yyjWSU4xympjms4RIoU99tK8NDv
                                                                                                                                                                                                                    MD5:68CB8F49FDE7FC3DF6CEE19CB730C7F8
                                                                                                                                                                                                                    SHA1:1EC425657E358C85CA4A3A04E6525E29B59FCB16
                                                                                                                                                                                                                    SHA-256:5DA91A846188B8604BEE0056451D6185AA1B91646196C90699ADFF530F8BC555
                                                                                                                                                                                                                    SHA-512:D3FB70289E5CD0287009394E3C9485467999DB61F9AB74D16C9E6D0CF7D0A2411BF0F165EF24D5E7BB71FCAF78A84F5499600074ED2A3FE4F8AE47CF09654415
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                                    Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25la5jyp.urb.ps1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2hag1y2.o3h.psm1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jglyexfm.d5r.ps1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qobopjan.hit.psm1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                    Entropy (8bit):7.798916771132813
                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                    File name:TEKLIF 2002509.exe
                                                                                                                                                                                                                    File size:610'816 bytes
                                                                                                                                                                                                                    MD5:7a3bfa8d0ab2a9b1258925a73a037393
                                                                                                                                                                                                                    SHA1:5785960ead180d8709d2b4e182ada67cf751a85c
                                                                                                                                                                                                                    SHA256:8924d6255fe634004cc46de0a9ee6b4d7c44c1612947d747ebea2a6c06d2a37e
                                                                                                                                                                                                                    SHA512:aaf55fa5de8f5c8755383694256a369ecaf31337f6a768ffff22e76f16a5413bce56dafe7efb2145c43591d9f214770de0d0596b9094ce65a683157bd0baecd3
                                                                                                                                                                                                                    SSDEEP:12288:5sy8bQbFshgdcUTejQDo7ryDKdQRFlPHlhBhiJ+UXC/:KIeQr0HyDSQPFc+US/
                                                                                                                                                                                                                    TLSH:1DD401903299D403C4C24FB91E62D2F816766EC9AA22D30B9FEEBEEF7C767041441752
                                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,z................0..H...........f... ........@.. ....................................@................................

                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                    Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Entrypoint:0x4966e2
                                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                    Time Stamp:0x90BE7A2C [Fri Dec 14 12:10:20 2046 UTC]
                                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                                    File Version Major:4
                                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                                    add byte ptr [eax], al

                                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x966900x4f.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x5b4.rsrc
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a0000xc.reloc
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x94d780x70.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                    Sections

                                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                    .text0x20000x946e80x948004b20b2f9576656bfd3faadc04abc3631False0.9194500341961279data7.8074983869733705IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .rsrc0x980000x5b40x600d497ada16193642950d06d55dac3b550False0.4231770833333333data4.100349662958342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .reloc0x9a0000xc0x2003c70a2eb4701ba81d252197e4c48cf6bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                    Resources

                                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                    RT_VERSION0x980900x324data0.43407960199004975
                                                                                                                                                                                                                    RT_MANIFEST0x983c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                    Imports

                                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    Sep 27, 2024 10:44:13.882677078 CEST5056153192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 10:44:13.892736912 CEST53505611.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 10:44:33.631894112 CEST4966053192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 10:44:33.642050982 CEST53496601.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 10:44:53.569588900 CEST5752653192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 10:44:53.580729961 CEST53575261.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 10:45:13.897444010 CEST5466653192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 10:45:13.916950941 CEST53546661.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 10:45:34.977751970 CEST5363853192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 10:45:34.987344980 CEST53536381.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 10:46:16.179220915 CEST5142453192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 10:46:16.189202070 CEST53514241.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 10:46:36.781397104 CEST5275353192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 10:46:36.790751934 CEST53527531.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 10:46:57.210830927 CEST5030453192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 10:46:57.226191044 CEST53503041.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 10:47:17.841031075 CEST5917653192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 10:47:18.720583916 CEST53591761.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 10:47:40.335175991 CEST5628653192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 10:47:40.353948116 CEST53562861.1.1.1192.168.2.6
                                                                                                                                                                                                                    Sep 27, 2024 10:48:00.506918907 CEST6376653192.168.2.61.1.1.1
                                                                                                                                                                                                                    Sep 27, 2024 10:48:00.596667051 CEST53637661.1.1.1192.168.2.6

                                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                    Sep 27, 2024 10:44:13.882677078 CEST192.168.2.61.1.1.10xbf64Standard query (0)www.ffpage.shopA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:44:33.631894112 CEST192.168.2.61.1.1.10x2250Standard query (0)www.mberbreeze.cyouA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:44:53.569588900 CEST192.168.2.61.1.1.10x9683Standard query (0)www.obs-for-seniors-39582.bondA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:45:13.897444010 CEST192.168.2.61.1.1.10x182dStandard query (0)www.uhtwister.cloudA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:45:34.977751970 CEST192.168.2.61.1.1.10x13fStandard query (0)www.akemoneyonline.bondA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:46:16.179220915 CEST192.168.2.61.1.1.10xe348Standard query (0)www.sicologosportugueses.onlineA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:46:36.781397104 CEST192.168.2.61.1.1.10xe392Standard query (0)www.avada-casino-tlj.buzzA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:46:57.210830927 CEST192.168.2.61.1.1.10x364cStandard query (0)www.nline-degree-6987776.worldA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:47:17.841031075 CEST192.168.2.61.1.1.10x3e31Standard query (0)www.8009.topA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:47:40.335175991 CEST192.168.2.61.1.1.10x62b1Standard query (0)www.nfluencer-marketing-17923.bondA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:48:00.506918907 CEST192.168.2.61.1.1.10x8596Standard query (0)www.ewferg.topA (IP address)IN (0x0001)false

                                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                    Sep 27, 2024 10:44:13.892736912 CEST1.1.1.1192.168.2.60xbf64Name error (3)www.ffpage.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:44:33.642050982 CEST1.1.1.1192.168.2.60x2250Name error (3)www.mberbreeze.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:44:53.580729961 CEST1.1.1.1192.168.2.60x9683Name error (3)www.obs-for-seniors-39582.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:45:13.916950941 CEST1.1.1.1192.168.2.60x182dName error (3)www.uhtwister.cloudnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:45:34.987344980 CEST1.1.1.1192.168.2.60x13fName error (3)www.akemoneyonline.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:46:16.189202070 CEST1.1.1.1192.168.2.60xe348Name error (3)www.sicologosportugueses.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:46:36.790751934 CEST1.1.1.1192.168.2.60xe392Name error (3)www.avada-casino-tlj.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:46:57.226191044 CEST1.1.1.1192.168.2.60x364cName error (3)www.nline-degree-6987776.worldnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:47:18.720583916 CEST1.1.1.1192.168.2.60x3e31Name error (3)www.8009.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:47:40.353948116 CEST1.1.1.1192.168.2.60x62b1Name error (3)www.nfluencer-marketing-17923.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Sep 27, 2024 10:48:00.596667051 CEST1.1.1.1192.168.2.60x8596Name error (3)www.ewferg.topnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                                    Start time:04:43:29
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\TEKLIF 2002509.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\TEKLIF 2002509.exe"
                                                                                                                                                                                                                    Imagebase:0x570000
                                                                                                                                                                                                                    File size:610'816 bytes
                                                                                                                                                                                                                    MD5 hash:7A3BFA8D0AB2A9B1258925A73A037393
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:3
                                                                                                                                                                                                                    Start time:04:43:30
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe"
                                                                                                                                                                                                                    Imagebase:0x6f0000
                                                                                                                                                                                                                    File size:433'152 bytes
                                                                                                                                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                                                    Start time:04:43:30
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:5
                                                                                                                                                                                                                    Start time:04:43:30
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\TEKLIF 2002509.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\TEKLIF 2002509.exe"
                                                                                                                                                                                                                    Imagebase:0xb40000
                                                                                                                                                                                                                    File size:610'816 bytes
                                                                                                                                                                                                                    MD5 hash:7A3BFA8D0AB2A9B1258925A73A037393
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000005.00000002.2270725098.000000000146F000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:6
                                                                                                                                                                                                                    Start time:04:43:31
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                    Imagebase:0x7ff609140000
                                                                                                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:7
                                                                                                                                                                                                                    Start time:04:43:40
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\chkdsk.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Windows\SysWOW64\chkdsk.exe"
                                                                                                                                                                                                                    Imagebase:0xc40000
                                                                                                                                                                                                                    File size:23'040 bytes
                                                                                                                                                                                                                    MD5 hash:B4016BEE9D8F3AD3D02DD21C3CAFB922
                                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:8
                                                                                                                                                                                                                    Start time:04:43:44
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:/c del "C:\Users\user\Desktop\TEKLIF 2002509.exe"
                                                                                                                                                                                                                    Imagebase:0x1c0000
                                                                                                                                                                                                                    File size:236'544 bytes
                                                                                                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:9
                                                                                                                                                                                                                    Start time:04:43:44
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                    Imagebase:0x7ff66e660000
                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:10.2%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                                                                      Total number of Nodes:183
                                                                                                                                                                                                                      Total number of Limit Nodes:10
                                                                                                                                                                                                                      execution_graph 21729 d4d380 21730 d4d3c6 GetCurrentProcess 21729->21730 21732 d4d411 21730->21732 21733 d4d418 GetCurrentThread 21730->21733 21732->21733 21734 d4d455 GetCurrentProcess 21733->21734 21735 d4d44e 21733->21735 21736 d4d48b 21734->21736 21735->21734 21737 d4d4b3 GetCurrentThreadId 21736->21737 21738 d4d4e4 21737->21738 21922 d4aff0 21923 d4afff 21922->21923 21926 d4b0d8 21922->21926 21931 d4b0e8 21922->21931 21927 d4b11c 21926->21927 21928 d4b0f9 21926->21928 21927->21923 21928->21927 21929 d4b320 GetModuleHandleW 21928->21929 21930 d4b34d 21929->21930 21930->21923 21932 d4b11c 21931->21932 21933 d4b0f9 21931->21933 21932->21923 21933->21932 21934 d4b320 GetModuleHandleW 21933->21934 21935 d4b34d 21934->21935 21935->21923 21739 7a07976 21740 7a07984 21739->21740 21741 7a07993 21740->21741 21745 7a089d6 21740->21745 21763 7a08970 21740->21763 21780 7a08930 21740->21780 21746 7a08964 21745->21746 21748 7a089d9 21745->21748 21797 7a08fba 21746->21797 21804 7a091f8 21746->21804 21809 7a09054 21746->21809 21814 7a09472 21746->21814 21819 7a09231 21746->21819 21824 7a0928e 21746->21824 21829 7a08fed 21746->21829 21834 7a08ee7 21746->21834 21839 7a09387 21746->21839 21844 7a09146 21746->21844 21849 7a094c2 21746->21849 21854 7a08d82 21746->21854 21859 7a0953e 21746->21859 21864 7a0907d 21746->21864 21747 7a08992 21747->21740 21748->21740 21764 7a0898a 21763->21764 21766 7a08d82 2 API calls 21764->21766 21767 7a094c2 2 API calls 21764->21767 21768 7a09146 2 API calls 21764->21768 21769 7a09387 2 API calls 21764->21769 21770 7a08ee7 2 API calls 21764->21770 21771 7a08fed 2 API calls 21764->21771 21772 7a0928e 2 API calls 21764->21772 21773 7a09231 2 API calls 21764->21773 21774 7a09472 2 API calls 21764->21774 21775 7a09054 2 API calls 21764->21775 21776 7a091f8 2 API calls 21764->21776 21777 7a08fba 4 API calls 21764->21777 21778 7a0907d 4 API calls 21764->21778 21779 7a0953e 2 API calls 21764->21779 21765 7a08992 21765->21740 21766->21765 21767->21765 21768->21765 21769->21765 21770->21765 21771->21765 21772->21765 21773->21765 21774->21765 21775->21765 21776->21765 21777->21765 21778->21765 21779->21765 21781 7a08964 21780->21781 21783 7a08d82 2 API calls 21781->21783 21784 7a094c2 2 API calls 21781->21784 21785 7a09146 2 API calls 21781->21785 21786 7a09387 2 API calls 21781->21786 21787 7a08ee7 2 API calls 21781->21787 21788 7a08fed 2 API calls 21781->21788 21789 7a0928e 2 API calls 21781->21789 21790 7a09231 2 API calls 21781->21790 21791 7a09472 2 API calls 21781->21791 21792 7a09054 2 API calls 21781->21792 21793 7a091f8 2 API calls 21781->21793 21794 7a08fba 4 API calls 21781->21794 21795 7a0907d 4 API calls 21781->21795 21796 7a0953e 2 API calls 21781->21796 21782 7a08992 21782->21740 21783->21782 21784->21782 21785->21782 21786->21782 21787->21782 21788->21782 21789->21782 21790->21782 21791->21782 21792->21782 21793->21782 21794->21782 21795->21782 21796->21782 21872 7a07220 21797->21872 21876 7a07218 21797->21876 21798 7a08fd8 21799 7a08ebc 21798->21799 21880 7a072e0 21798->21880 21884 7a072d8 21798->21884 21805 7a09212 21804->21805 21888 7a06828 21805->21888 21892 7a06820 21805->21892 21806 7a09726 21810 7a09064 21809->21810 21812 7a072e0 WriteProcessMemory 21810->21812 21813 7a072d8 WriteProcessMemory 21810->21813 21811 7a09697 21812->21811 21813->21811 21815 7a0947c 21814->21815 21896 7a073d0 21815->21896 21900 7a073c9 21815->21900 21816 7a09563 21820 7a09237 21819->21820 21822 7a06820 ResumeThread 21820->21822 21823 7a06828 ResumeThread 21820->21823 21821 7a09726 21822->21821 21823->21821 21825 7a09294 21824->21825 21826 7a08ebc 21825->21826 21827 7a072e0 WriteProcessMemory 21825->21827 21828 7a072d8 WriteProcessMemory 21825->21828 21827->21825 21828->21825 21830 7a08ff6 21829->21830 21832 7a072e0 WriteProcessMemory 21830->21832 21833 7a072d8 WriteProcessMemory 21830->21833 21831 7a08ebc 21831->21747 21832->21831 21833->21831 21835 7a08ef3 21834->21835 21836 7a08f3f 21835->21836 21904 7a06d10 21835->21904 21908 7a06d09 21835->21908 21836->21747 21840 7a091f7 21839->21840 21842 7a06820 ResumeThread 21840->21842 21843 7a06828 ResumeThread 21840->21843 21841 7a09726 21842->21841 21843->21841 21845 7a09053 21844->21845 21847 7a072e0 WriteProcessMemory 21845->21847 21848 7a072d8 WriteProcessMemory 21845->21848 21846 7a09697 21847->21846 21848->21846 21850 7a094c9 21849->21850 21852 7a06820 ResumeThread 21850->21852 21853 7a06828 ResumeThread 21850->21853 21851 7a09726 21852->21851 21853->21851 21855 7a08df6 21854->21855 21912 7a07568 21855->21912 21916 7a0755d 21855->21916 21860 7a09561 21859->21860 21862 7a073d0 ReadProcessMemory 21860->21862 21863 7a073c9 ReadProcessMemory 21860->21863 21861 7a09563 21862->21861 21863->21861 21870 7a06d10 Wow64SetThreadContext 21864->21870 21871 7a06d09 Wow64SetThreadContext 21864->21871 21865 7a09097 21866 7a09803 21865->21866 21868 7a06820 ResumeThread 21865->21868 21869 7a06828 ResumeThread 21865->21869 21866->21747 21867 7a09726 21868->21867 21869->21867 21870->21865 21871->21865 21873 7a07260 VirtualAllocEx 21872->21873 21875 7a0729d 21873->21875 21875->21798 21877 7a07220 VirtualAllocEx 21876->21877 21879 7a0729d 21877->21879 21879->21798 21881 7a07328 WriteProcessMemory 21880->21881 21883 7a0737f 21881->21883 21883->21798 21885 7a072e0 WriteProcessMemory 21884->21885 21887 7a0737f 21885->21887 21887->21798 21889 7a06868 ResumeThread 21888->21889 21891 7a06899 21889->21891 21891->21806 21893 7a06828 ResumeThread 21892->21893 21895 7a06899 21893->21895 21895->21806 21897 7a0741b ReadProcessMemory 21896->21897 21899 7a0745f 21897->21899 21899->21816 21901 7a073d0 ReadProcessMemory 21900->21901 21903 7a0745f 21901->21903 21903->21816 21905 7a06d55 Wow64SetThreadContext 21904->21905 21907 7a06d9d 21905->21907 21907->21836 21909 7a06d55 Wow64SetThreadContext 21908->21909 21911 7a06d9d 21909->21911 21911->21836 21913 7a075f1 CreateProcessA 21912->21913 21915 7a077b3 21913->21915 21915->21915 21917 7a07568 CreateProcessA 21916->21917 21919 7a077b3 21917->21919 21936 7a09b08 21937 7a09b2e 21936->21937 21938 7a09c93 21936->21938 21937->21938 21940 7a056d8 21937->21940 21941 7a09d88 PostMessageW 21940->21941 21942 7a09df4 21941->21942 21942->21937 21920 d4d5c8 DuplicateHandle 21921 d4d65e 21920->21921 21943 d44668 21944 d4467a 21943->21944 21945 d44686 21944->21945 21947 d44778 21944->21947 21948 d4479d 21947->21948 21952 d44888 21948->21952 21956 d44878 21948->21956 21953 d448af 21952->21953 21955 d4498c 21953->21955 21960 d44514 21953->21960 21958 d448af 21956->21958 21957 d4498c 21957->21957 21958->21957 21959 d44514 CreateActCtxA 21958->21959 21959->21957 21961 d45918 CreateActCtxA 21960->21961 21963 d459db 21961->21963

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 00D4D371 Relevance: 6.1, APIs: 4, Instructions: 149threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00D4D3FE
                                                                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 00D4D43B
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00D4D478
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00D4D4D1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149020473.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_d40000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                                                                      • Opcode ID: ac195bfaec889f2302b22c4617ba44a08007dbd8bc35fb8183b42e2f2d8441f2
                                                                                                                                                                                                                      • Instruction ID: ac2a2b632cfb3b8053e433fbeb95b38d930c8972d9652689524d7d5c480b5337
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac195bfaec889f2302b22c4617ba44a08007dbd8bc35fb8183b42e2f2d8441f2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C76179B0901349DFEB14CFAAD548BEEBBF1EF88304F208499E009A7361D775A944CB65
                                                                                                                                                                                                                      Function 00D4D380 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00D4D3FE
                                                                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 00D4D43B
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00D4D478
                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00D4D4D1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149020473.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_d40000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                                                                      • Opcode ID: 509872cafc91c17819b42f834ea6d973a477d71ebb4b8008a2b150e2eb9e00f6
                                                                                                                                                                                                                      • Instruction ID: 1997632e66a66c0dfbd858146e2d95a1ff6bb996791d5c3d74afb80616200e5f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 509872cafc91c17819b42f834ea6d973a477d71ebb4b8008a2b150e2eb9e00f6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E5147B0900749DFEB14CFAAD548BEEBBF1EF88304F248459E009A7350D774A944CB66
                                                                                                                                                                                                                      Function 07A0755D Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 51 7a0755d-7a075fd 54 7a07636-7a07656 51->54 55 7a075ff-7a07609 51->55 62 7a07658-7a07662 54->62 63 7a0768f-7a076be 54->63 55->54 56 7a0760b-7a0760d 55->56 58 7a07630-7a07633 56->58 59 7a0760f-7a07619 56->59 58->54 60 7a0761b 59->60 61 7a0761d-7a0762c 59->61 60->61 61->61 64 7a0762e 61->64 62->63 65 7a07664-7a07666 62->65 69 7a076c0-7a076ca 63->69 70 7a076f7-7a077b1 CreateProcessA 63->70 64->58 67 7a07668-7a07672 65->67 68 7a07689-7a0768c 65->68 71 7a07674 67->71 72 7a07676-7a07685 67->72 68->63 69->70 73 7a076cc-7a076ce 69->73 83 7a077b3-7a077b9 70->83 84 7a077ba-7a07840 70->84 71->72 72->72 74 7a07687 72->74 75 7a076d0-7a076da 73->75 76 7a076f1-7a076f4 73->76 74->68 78 7a076dc 75->78 79 7a076de-7a076ed 75->79 76->70 78->79 79->79 80 7a076ef 79->80 80->76 83->84 94 7a07850-7a07854 84->94 95 7a07842-7a07846 84->95 97 7a07864-7a07868 94->97 98 7a07856-7a0785a 94->98 95->94 96 7a07848 95->96 96->94 100 7a07878-7a0787c 97->100 101 7a0786a-7a0786e 97->101 98->97 99 7a0785c 98->99 99->97 103 7a0788e-7a07895 100->103 104 7a0787e-7a07884 100->104 101->100 102 7a07870 101->102 102->100 105 7a07897-7a078a6 103->105 106 7a078ac 103->106 104->103 105->106 108 7a078ad 106->108 108->108
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A0779E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                                                                      • Opcode ID: 50212a00486779ebfb6eaef6790abf2e2846b8bd7738e02fdbc166937ea5f00c
                                                                                                                                                                                                                      • Instruction ID: fb63c5d5c3deaf998ea4f6cc3ce93e550b10ed1174ccc53bc9eb94875773adae
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 50212a00486779ebfb6eaef6790abf2e2846b8bd7738e02fdbc166937ea5f00c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24A17EB1D00259DFEF20CF69D841BDDBBB2BF88310F148569E819A7280DB759985CF92
                                                                                                                                                                                                                      Function 07A07568 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 109 7a07568-7a075fd 111 7a07636-7a07656 109->111 112 7a075ff-7a07609 109->112 119 7a07658-7a07662 111->119 120 7a0768f-7a076be 111->120 112->111 113 7a0760b-7a0760d 112->113 115 7a07630-7a07633 113->115 116 7a0760f-7a07619 113->116 115->111 117 7a0761b 116->117 118 7a0761d-7a0762c 116->118 117->118 118->118 121 7a0762e 118->121 119->120 122 7a07664-7a07666 119->122 126 7a076c0-7a076ca 120->126 127 7a076f7-7a077b1 CreateProcessA 120->127 121->115 124 7a07668-7a07672 122->124 125 7a07689-7a0768c 122->125 128 7a07674 124->128 129 7a07676-7a07685 124->129 125->120 126->127 130 7a076cc-7a076ce 126->130 140 7a077b3-7a077b9 127->140 141 7a077ba-7a07840 127->141 128->129 129->129 131 7a07687 129->131 132 7a076d0-7a076da 130->132 133 7a076f1-7a076f4 130->133 131->125 135 7a076dc 132->135 136 7a076de-7a076ed 132->136 133->127 135->136 136->136 137 7a076ef 136->137 137->133 140->141 151 7a07850-7a07854 141->151 152 7a07842-7a07846 141->152 154 7a07864-7a07868 151->154 155 7a07856-7a0785a 151->155 152->151 153 7a07848 152->153 153->151 157 7a07878-7a0787c 154->157 158 7a0786a-7a0786e 154->158 155->154 156 7a0785c 155->156 156->154 160 7a0788e-7a07895 157->160 161 7a0787e-7a07884 157->161 158->157 159 7a07870 158->159 159->157 162 7a07897-7a078a6 160->162 163 7a078ac 160->163 161->160 162->163 165 7a078ad 163->165 165->165
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A0779E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                                                                      • Opcode ID: 003df2ff60b4ef126dcffebbdc3c31b585ae615360753af87c5e449903d47926
                                                                                                                                                                                                                      • Instruction ID: c48e3cca9ab81b55a8117b26bf4f1e08c494a5eb1fc7d027c08d07fb04c6a596
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 003df2ff60b4ef126dcffebbdc3c31b585ae615360753af87c5e449903d47926
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C6917FB0D00259DFEF14CF69D841BDDBBB2BF48310F148569E819A7280DB75A985CF92
                                                                                                                                                                                                                      Function 00D4B0E8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 166 d4b0e8-d4b0f7 167 d4b123-d4b127 166->167 168 d4b0f9-d4b106 call d4ada0 166->168 170 d4b129-d4b133 167->170 171 d4b13b-d4b17c 167->171 174 d4b11c 168->174 175 d4b108 168->175 170->171 177 d4b17e-d4b186 171->177 178 d4b189-d4b197 171->178 174->167 223 d4b10e call d4b380 175->223 224 d4b10e call d4b370 175->224 177->178 179 d4b199-d4b19e 178->179 180 d4b1bb-d4b1bd 178->180 182 d4b1a0-d4b1a7 call d4adac 179->182 183 d4b1a9 179->183 184 d4b1c0-d4b1c7 180->184 181 d4b114-d4b116 181->174 185 d4b258-d4b318 181->185 186 d4b1ab-d4b1b9 182->186 183->186 188 d4b1d4-d4b1db 184->188 189 d4b1c9-d4b1d1 184->189 216 d4b320-d4b34b GetModuleHandleW 185->216 217 d4b31a-d4b31d 185->217 186->184 192 d4b1dd-d4b1e5 188->192 193 d4b1e8-d4b1f1 call d4adbc 188->193 189->188 192->193 197 d4b1f3-d4b1fb 193->197 198 d4b1fe-d4b203 193->198 197->198 199 d4b205-d4b20c 198->199 200 d4b221-d4b225 198->200 199->200 202 d4b20e-d4b21e call d4adcc call d4addc 199->202 221 d4b228 call d4b680 200->221 222 d4b228 call d4b651 200->222 202->200 205 d4b22b-d4b22e 207 d4b230-d4b24e 205->207 208 d4b251-d4b257 205->208 207->208 218 d4b354-d4b368 216->218 219 d4b34d-d4b353 216->219 217->216 219->218 221->205 222->205 223->181 224->181
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00D4B33E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149020473.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_d40000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                                                                      • Opcode ID: 1ed35096a87b4adb9013fc37fb9c08e6876f12c704ff8c3fb637717051e7780a
                                                                                                                                                                                                                      • Instruction ID: b520c18831beb109b49ccc782e98aba7f75860d0b170cb6cee8ca53ee7008e72
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ed35096a87b4adb9013fc37fb9c08e6876f12c704ff8c3fb637717051e7780a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00714570A00B458FDB24CF6AD4557AABBF1FF88310F14892ED48AD7A40E775E845CBA1
                                                                                                                                                                                                                      Function 00D4590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 225 d4590c-d45987 226 d4598c-d459d9 CreateActCtxA 225->226 228 d459e2-d45a3c 226->228 229 d459db-d459e1 226->229 236 d45a3e-d45a41 228->236 237 d45a4b-d45a4f 228->237 229->228 236->237 238 d45a60 237->238 239 d45a51-d45a5d 237->239 241 d45a61 238->241 239->238 241->241
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 00D459C9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149020473.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_d40000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Create
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                                                                      • Opcode ID: c6b5176f7825b8ef0cad97b0b93acce3883b1db98972b1b9d10158e01d92bb6f
                                                                                                                                                                                                                      • Instruction ID: ef09205dded138740dab50204d96ea78c61ed130e5cb323ff1efcc3d4a103540
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6b5176f7825b8ef0cad97b0b93acce3883b1db98972b1b9d10158e01d92bb6f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 10410270C00719CFEB24CFA9C8857DEBBB1BF89304F24815AD448AB255DB71694ACF51
                                                                                                                                                                                                                      Function 00D44514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 242 d44514-d459d9 CreateActCtxA 246 d459e2-d45a3c 242->246 247 d459db-d459e1 242->247 254 d45a3e-d45a41 246->254 255 d45a4b-d45a4f 246->255 247->246 254->255 256 d45a60 255->256 257 d45a51-d45a5d 255->257 259 d45a61 256->259 257->256 259->259
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 00D459C9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149020473.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_d40000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Create
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                                                                      • Opcode ID: 25268a9c0f43cf48f42ba3c9d512e0049dd6dafe78b6be436843c8c8e2890458
                                                                                                                                                                                                                      • Instruction ID: 09674944f9163f4f796bb77442f5d78a5916d8a1f4a62256a6e0796015f6ef78
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 25268a9c0f43cf48f42ba3c9d512e0049dd6dafe78b6be436843c8c8e2890458
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8F41F270C0071DCBEB24CFA9C84578EBBF5BF49304F20816AD408AB255D7716949CF91
                                                                                                                                                                                                                      Function 00D45A84 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 260 d45a84-d45b14
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149020473.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_d40000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 94eefaf3abfffb254587caf546995d48823bf140a16b63aea488f267f2e10b55
                                                                                                                                                                                                                      • Instruction ID: 03b27606717be1deca063831e8c70a18b75b222fde68c49145f6b30cbea4dd39
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94eefaf3abfffb254587caf546995d48823bf140a16b63aea488f267f2e10b55
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD31AC71C04749CFEB10CFA8D8557DEBBB0EF45314F14818AC445AB25AC776A90ACF61
                                                                                                                                                                                                                      Function 07A09E18 Relevance: 1.6, APIs: 1, Instructions: 77windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 263 7a09e18-7a09e1c 264 7a09e91-7a09e93 263->264 265 7a09e1e-7a09e21 263->265 268 7a09e95 264->268 269 7a09e9d-7a09eb1 264->269 266 7a09dc1-7a09dcb 265->266 267 7a09e23-7a09e4d 265->267 272 7a09dd5-7a09df2 PostMessageW 266->272 273 7a09dcd-7a09dd0 266->273 270 7a09e54-7a09e67 267->270 271 7a09e4f 267->271 268->269 278 7a09e51-7a09e57 269->278 279 7a09eb3-7a09eb9 269->279 282 7a09e78-7a09e8d 270->282 283 7a09e69-7a09e76 270->283 271->270 275 7a09df4-7a09dfa 272->275 276 7a09dfb-7a09e0f 272->276 273->272 275->276 280 7a09e59-7a09e67 278->280 279->280 284 7a09ebb-7a09ecb 279->284 280->282 280->283 282->264 283->282 285 7a09ecd-7a09ee4 284->285 286 7a09eee-7a09ef1 284->286 285->286 292 7a09ee6-7a09eeb 285->292 292->286
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A09DE5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                                                                      • Opcode ID: 970dc76c7cbec5fbac929fb26478bf2bb05908324b8190c06283aa18c7b7692e
                                                                                                                                                                                                                      • Instruction ID: 691c155c274a71d5ce6e1776cf8a0b216e1e19fbe5923b65818beea284534af7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 970dc76c7cbec5fbac929fb26478bf2bb05908324b8190c06283aa18c7b7692e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8F21ADB2D09325CBDF20DF95E8597EFBFB0AB88710F10494AC455A7282C7356944CBE0
                                                                                                                                                                                                                      Function 07A072D8 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 293 7a072d8-7a0732e 296 7a07330-7a0733c 293->296 297 7a0733e-7a0737d WriteProcessMemory 293->297 296->297 299 7a07386-7a073b6 297->299 300 7a0737f-7a07385 297->300 300->299
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A07370
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                                                                      • Opcode ID: 8501f8b31857cfa26812ddda99afbb40af1c268e7c25c8e90484a783d7a1f074
                                                                                                                                                                                                                      • Instruction ID: 7810f72952d21933082a00bcdd5ae7a17f46af5d657e088943c140c692420550
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8501f8b31857cfa26812ddda99afbb40af1c268e7c25c8e90484a783d7a1f074
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E2137B59003599FDF10CFA9D881BDEBBF5BF88310F10842AE919A7240C778A544CBA5
                                                                                                                                                                                                                      Function 07A072E0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 304 7a072e0-7a0732e 306 7a07330-7a0733c 304->306 307 7a0733e-7a0737d WriteProcessMemory 304->307 306->307 309 7a07386-7a073b6 307->309 310 7a0737f-7a07385 307->310 310->309
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A07370
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                                                                      • Opcode ID: 2de6ce54e1e24b5e65bea6f0cb2861c8ec4861e5dc152735b7630ddf47a7d8a6
                                                                                                                                                                                                                      • Instruction ID: bf295ef9c356c2db9d3fd3d5648bb1814e0f6cce57ee23de9c9504d2095562c0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2de6ce54e1e24b5e65bea6f0cb2861c8ec4861e5dc152735b7630ddf47a7d8a6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E92117B19003499FDF14CFA9C881BDEBBF5BF48310F108429E919A7240C7799544CBA5
                                                                                                                                                                                                                      Function 07A073C9 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 314 7a073c9-7a0745d ReadProcessMemory 318 7a07466-7a07496 314->318 319 7a0745f-7a07465 314->319 319->318
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A07450
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                                                                                      • Opcode ID: 48d6aa1e3c13a421669172d9f6b3edb0cdd04e94033f07ad428c77b12c7b1b18
                                                                                                                                                                                                                      • Instruction ID: db82ebf8702e27e743b02c7d6d3443ef90173cad26529cde8fe864ec4ae60e34
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 48d6aa1e3c13a421669172d9f6b3edb0cdd04e94033f07ad428c77b12c7b1b18
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B22116B1D003499FDF10CFAAD881AEEBBF5FF88310F50882AE559A7250C7799540CBA5
                                                                                                                                                                                                                      Function 07A06D09 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 323 7a06d09-7a06d5b 325 7a06d6b-7a06d9b Wow64SetThreadContext 323->325 326 7a06d5d-7a06d69 323->326 328 7a06da4-7a06dd4 325->328 329 7a06d9d-7a06da3 325->329 326->325 329->328
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A06D8E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                                                                      • Opcode ID: a4f39443ebd784b93b4634a941e3b3f4315451d34d68680c53e7a3fd230cad8f
                                                                                                                                                                                                                      • Instruction ID: 5cd46f7454324514742503817ab3d65ee2de39b3e3ac5cf2d1a5b1e80500b12e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a4f39443ebd784b93b4634a941e3b3f4315451d34d68680c53e7a3fd230cad8f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E2179B1D007099FDB10DFAAC4817EEBBF4EF88314F14842AD419A7240C778A944CFA4
                                                                                                                                                                                                                      Function 00D4D5C1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 333 d4d5c1-d4d65c DuplicateHandle 334 d4d665-d4d682 333->334 335 d4d65e-d4d664 333->335 335->334
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D4D64F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149020473.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_d40000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                                                                      • Opcode ID: 9c7f39b6a26e64602f355943389583a5cb763e59cc4d38c3b373c4b09c7f2f9b
                                                                                                                                                                                                                      • Instruction ID: 3cb212089ebf3af31c4531ba06ab055e2faa8116b9406eeb098affe2e9a9a2b0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c7f39b6a26e64602f355943389583a5cb763e59cc4d38c3b373c4b09c7f2f9b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C421E0B5900249EFDB10CFAAD985AEEBFF5EB48310F14841AE918A7350C379A954CF64
                                                                                                                                                                                                                      Function 07A073D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A07450
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                                                                                      • Opcode ID: 28367b357318c9ec3c070cea8bd48eb242e4d8bc57e208510819a9d431af6700
                                                                                                                                                                                                                      • Instruction ID: 7fdf4fb43af9d1be5996fdca290b1f54d7f9edec96a444b81b3574ae075353e2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 28367b357318c9ec3c070cea8bd48eb242e4d8bc57e208510819a9d431af6700
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 712128B1D003499FDF10CFAAC881ADEBBF5FF48310F10842AE519A7240C7799500CBA5
                                                                                                                                                                                                                      Function 07A06D10 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 338 7a06d10-7a06d5b 340 7a06d6b-7a06d9b Wow64SetThreadContext 338->340 341 7a06d5d-7a06d69 338->341 343 7a06da4-7a06dd4 340->343 344 7a06d9d-7a06da3 340->344 341->340 344->343
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A06D8E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                                                                      • Opcode ID: d3fbe33b7175b009ed402405ff9099007ae66ea8b06910c92ba6ff4e7d67b7c7
                                                                                                                                                                                                                      • Instruction ID: ba276a30671204eaa83e7acfca0e370dead5a7c8657ae2458fa6ed70cf570a34
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d3fbe33b7175b009ed402405ff9099007ae66ea8b06910c92ba6ff4e7d67b7c7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 672158B1D007099FDB10CFAAC4857EEBBF4EF88314F14842AD519A7240CB78A954CFA5
                                                                                                                                                                                                                      Function 00D4D5C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D4D64F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149020473.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_d40000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                                                                      • Opcode ID: cfd89365158d6dafe45029126a55dc12f7eeaef6912419154c3c108b416bb538
                                                                                                                                                                                                                      • Instruction ID: 7caa8b1fe588640f92107b79e2720105ff8c1b67d7cd0737ab9145613b7578ac
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cfd89365158d6dafe45029126a55dc12f7eeaef6912419154c3c108b416bb538
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1921E4B5900248DFDB10CFAAD884ADEBBF9EB48310F14801AE918A3310D379A954CFA5
                                                                                                                                                                                                                      Function 07A07218 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A0728E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                                                                      • Opcode ID: 549c8181b12da84de49cababd85428b8068fae3e22d3a70b09c5535d40d8f221
                                                                                                                                                                                                                      • Instruction ID: d1381c84b8d5e867a3330a2a6fd6997753e075a778ef587538e26a057979ecd1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 549c8181b12da84de49cababd85428b8068fae3e22d3a70b09c5535d40d8f221
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B1147719002499FDF20DFAAD845BDFBBF9EF88710F148819E515A7250C776A540CFA4
                                                                                                                                                                                                                      Function 07A06820 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                                                                      • Opcode ID: 1c3a4f017356b95876e46737a4446acf3a0ccaa140fb5ce94b34d41ad711f138
                                                                                                                                                                                                                      • Instruction ID: 584dae73fcbe50cd16d5530ae0b8559d559cc4737eb85d82f9e12820ba38dabf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1c3a4f017356b95876e46737a4446acf3a0ccaa140fb5ce94b34d41ad711f138
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D91146B1900349CFDB20DFAAD8857DFFBF4AB88724F148819D519A7240CB79A544CBA5
                                                                                                                                                                                                                      Function 07A07220 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A0728E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                                                                      • Opcode ID: 91f8c8523ffd4597c9f7806d9fc2d09f3ad7346d4f48a46a2145cdda977a4ee9
                                                                                                                                                                                                                      • Instruction ID: 1592f1a1028a43d4219fac04ff13db21a05917cc02765685f66a11d6b98cf696
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 91f8c8523ffd4597c9f7806d9fc2d09f3ad7346d4f48a46a2145cdda977a4ee9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 451123719003499FDF20DFAAD845BDEBBF5EF88320F148819E519A7250C77AA940CFA5
                                                                                                                                                                                                                      Function 07A06828 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                                                                      • Opcode ID: c6fccd31be7d86ba1a671d209d3df603290cb68a99c8910e97716d7b59756c7e
                                                                                                                                                                                                                      • Instruction ID: ad63ed24448c6e892b91a8a73f7366bfd389f1bbcf74b3f67e2e870e1b1a7737
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6fccd31be7d86ba1a671d209d3df603290cb68a99c8910e97716d7b59756c7e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 581166B1D00349CFDB20DFAAC84579EFBF4AF88324F248819C519A7240CB79A904CBA4
                                                                                                                                                                                                                      Function 07A056D8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A09DE5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                                                                      • Opcode ID: 059808ec3ac707e445fccc3c0b1d8e9541ec6ba5cc6f5d64688054250c72b84f
                                                                                                                                                                                                                      • Instruction ID: 31e9d71ba58084ebd157c77a86bf47e6667f74240c334f98196ed2cff480faa8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 059808ec3ac707e445fccc3c0b1d8e9541ec6ba5cc6f5d64688054250c72b84f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BD1103B5804349DFDB10DF9AD889BDFBBF8EB48310F10881AE529A7241C375A944CFA5
                                                                                                                                                                                                                      Function 00D4B2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00D4B33E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149020473.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_d40000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                                                                      • Opcode ID: c3583b3c7d7b79a0c0544ad8045be513a235448fd33397cfc0ac261418704890
                                                                                                                                                                                                                      • Instruction ID: 74695567f544988dfbffa1f9980e7965906324f567191a777a20fb1c88a8f374
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c3583b3c7d7b79a0c0544ad8045be513a235448fd33397cfc0ac261418704890
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7711E0B6D00749CFDB14CF9AD444ADEFBF4AB88324F14841AD519A7210C379A545CFA5
                                                                                                                                                                                                                      Function 07A09D82 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A09DE5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                                                                      • Opcode ID: 97843e09a29f9e15c452d61d61db0f81e3e2f3c418099c7af6cbcb2c1783168e
                                                                                                                                                                                                                      • Instruction ID: a43e38527885b94e560ccaf5c7f80e17f194df6b8d170847a4e206ae7a1d0f83
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 97843e09a29f9e15c452d61d61db0f81e3e2f3c418099c7af6cbcb2c1783168e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 151103B5800349DFDB10DF9AD885BDEFBF4EB48320F10881AD918A7240C375A944CFA1
                                                                                                                                                                                                                      Function 00CED4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2148512935.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_ced000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3f7ec0768832946f25426f56f0856efc04876cc25cf7c9f7bd7a6972c90a2404
                                                                                                                                                                                                                      • Instruction ID: 3912dc10a8bbec2b55f6d4e4c174456b33247ee48c0201bed9a7fc15801bc6e5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3f7ec0768832946f25426f56f0856efc04876cc25cf7c9f7bd7a6972c90a2404
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B32122B2500280EFDB05DF15D9C0B26BF65FB98318F20C56DE90A0B256C336D956CBA2
                                                                                                                                                                                                                      Function 00CFD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2148606660.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_cfd000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 26cc6044fdcb1fe5673b86378455a570c324d6c1f6d21f3c39a7f263bbe53389
                                                                                                                                                                                                                      • Instruction ID: f91e583a7ac919691f91204548e5bcee10392de59399e6842b583cb80dc4278f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 26cc6044fdcb1fe5673b86378455a570c324d6c1f6d21f3c39a7f263bbe53389
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6D21F571604308EFDB54DF24D5C0B26BB66FB84314F20C56DEA0A4B246CB36D847CA62
                                                                                                                                                                                                                      Function 00CFD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2148606660.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_cfd000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 29b6b7d7ba7c7dbdbcac7c24d232da7def3f2ffd65daf5336dda7778d1366db9
                                                                                                                                                                                                                      • Instruction ID: 2c0f4bb66fb316e10e4bff9be9450e7ee2ed6ac4e2d639f2acf9d431b0e5dfaf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 29b6b7d7ba7c7dbdbcac7c24d232da7def3f2ffd65daf5336dda7778d1366db9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7321F971504308EFDB45DF14D5C0B36BB66FB84314F24C5ADEA0A4B256C376DC46CAA2
                                                                                                                                                                                                                      Function 00CFD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2148606660.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_cfd000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3d867f1d99c5c2a4265ab962f733e3f2acb88d4c95e2995aa4d76d06c618bb34
                                                                                                                                                                                                                      • Instruction ID: 6b8aac05b15bf3a2c69693683e6c341b50eb765225ebe702cf883156b6645bb4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d867f1d99c5c2a4265ab962f733e3f2acb88d4c95e2995aa4d76d06c618bb34
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1F218E755093849FCB02CF20D990715BF72EB46314F28C5EAD9498F2A7C33A980ACB62
                                                                                                                                                                                                                      Function 00CED4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2148512935.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_ced000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                                                                                                                                                                      • Instruction ID: c94e741ce187780b7a63b24d10eb3f2bc3a42257475645d9cbeecb9d3db3cd20
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6611E6B6504280DFCB15CF10D9C4B16BF71FB94314F24C6A9D84A0B656C33AD95ACBA2
                                                                                                                                                                                                                      Function 00CFD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2148606660.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_cfd000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                                                                                                                                                                                                      • Instruction ID: dd2648ca9e659cc53f44b67b8aef1b897564b46ca39166e4dd7b09017e8b53f3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0611BE75504244DFCB45CF10C5C0B25FB62FB84314F24C6AAD94A4B256C33AD84ACB92
                                                                                                                                                                                                                      Function 00CED745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2148512935.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_ced000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 06649f7d07d8ec7d9f089154a5b80d876e17e842dd7b6f761d169f0f9a5b8ea7
                                                                                                                                                                                                                      • Instruction ID: facbb4bfcd0d48d4c47b17e7784c25b64989f05192050c6992b38e7a0bb7c852
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 06649f7d07d8ec7d9f089154a5b80d876e17e842dd7b6f761d169f0f9a5b8ea7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E5012631004380EAE7104F27CD84B66FFA8EF42320F18C55AED1A4A28AC6799841CAB2
                                                                                                                                                                                                                      Function 00CED744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2148512935.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_ced000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 56bfaf1f4abd3a114cac58b73e853d74a6cc2d973a46371086a4ace8c5276cf8
                                                                                                                                                                                                                      • Instruction ID: 15e524b04295a93a644fd6f17c00137f7fb440f7ddd0441b3a90d837856e1766
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 56bfaf1f4abd3a114cac58b73e853d74a6cc2d973a46371086a4ace8c5276cf8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6FF06D71405384AEEB108F16CC88B62FFA8EB91734F18C55AED594A28AC2799945CBB1

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 07A0B938 Relevance: .4, Instructions: 387COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0e2fce4f6c9dc36e4be921147f83bfb3263599a8ad6c5007c57bc979f57659a5
                                                                                                                                                                                                                      • Instruction ID: cc76ab8a8b7aa9aafda75aa7bbf44994a7de02f5e7246fb0fde883e21109d249
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e2fce4f6c9dc36e4be921147f83bfb3263599a8ad6c5007c57bc979f57659a5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5DD1ACB17017018FDB25DB79DA6076AB7E6AFC9700F18886DD1568B391DF34E801CBA1
                                                                                                                                                                                                                      Function 07A05D37 Relevance: .3, Instructions: 344COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e8988ccd9f1b1ed9428a8056369e786314dbb95434f4554547fa7ca1695eaf21
                                                                                                                                                                                                                      • Instruction ID: a32bc49a052b79731f99fbc778fdd5908faae7a50896b9dc32dea13eef42c89c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8988ccd9f1b1ed9428a8056369e786314dbb95434f4554547fa7ca1695eaf21
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4BD1BFB1E01215CFCB14CF59D584AADBBF6AF88305F24856AD428AB292D335DD52CFE0
                                                                                                                                                                                                                      Function 07A05FA8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fd30a85a62f69ad456e915aae66431ca3715111d44a9ddff619f5f8c395cbdda
                                                                                                                                                                                                                      • Instruction ID: cfdec2ca130a937b0ba57ad2a71e35cfda17e1d3b987164f00ee6814bb012632
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fd30a85a62f69ad456e915aae66431ca3715111d44a9ddff619f5f8c395cbdda
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04E12CB4E002598FDB14DFA9C5809AEFBB2FF89305F24C559D824AB355C731A942CFA1
                                                                                                                                                                                                                      Function 07A047A8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1b4dc43cf0bb27c68938676c6ac7031a826422a9dbcf630f564cb0334f06cce5
                                                                                                                                                                                                                      • Instruction ID: 68e4976010fef5143881a20d34c57026528772e76d3d3716b99b728f8f429f8b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b4dc43cf0bb27c68938676c6ac7031a826422a9dbcf630f564cb0334f06cce5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 49E14DB4E001598FCB14DFA9D580AAEFBB2FF89305F24C569D524A7355C7319942CFA0
                                                                                                                                                                                                                      Function 07A04370 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e17d3a2f7557812f5ed0d26054d0eef2cce89e2382500bd408a83b0821db4174
                                                                                                                                                                                                                      • Instruction ID: 09e78c08c04c2bfe5b431f080cbb25ad9c49a1d204136c7bbf2ebbf1a2c88be7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e17d3a2f7557812f5ed0d26054d0eef2cce89e2382500bd408a83b0821db4174
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 98E13AB4E002598FDB14CFA9C5809AEFBB2FF89305F248559D924AB355D731AD42CFA0
                                                                                                                                                                                                                      Function 07A06DE8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c37383310d0f4d16e4d01e166ba59168986840da9369ff815b13714c052d53c3
                                                                                                                                                                                                                      • Instruction ID: cfaabf8c4aea5349c3ecbce0141bd99b6d86a7a18259c91ae24575e0ccee8e1a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c37383310d0f4d16e4d01e166ba59168986840da9369ff815b13714c052d53c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2E12DB4E002598FDB14DFA9C5809AEFBB2FF89305F24C559D824AB355D731A942CFA0
                                                                                                                                                                                                                      Function 07A068D8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b79c72d17b369ba326d88ac8e31025210561967c10fc2099cea5dacfbb3bf13c
                                                                                                                                                                                                                      • Instruction ID: cf4f9c5e3c4fd4a250c769e231cafc7d0117c6efe7106a0936de80098d355bb5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b79c72d17b369ba326d88ac8e31025210561967c10fc2099cea5dacfbb3bf13c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4AE11BB4E002598FDB14DFA9D580AAEFBB2FF89305F24C569D824A7355C7319942CFA0
                                                                                                                                                                                                                      Function 00D4DEEC Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2149020473.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_d40000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0349aedd20f79d57f8fa4b2b1d2a350ee953e14945e118a1b6399ad7b389008f
                                                                                                                                                                                                                      • Instruction ID: 6a4e10e4c03d6961b1b47bf2385f942bd778d4b6332e00523bcafc42ae254aca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0349aedd20f79d57f8fa4b2b1d2a350ee953e14945e118a1b6399ad7b389008f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6BA14C32E002198FCF15DFB4C8445EEB7B2FF85300B29857AE806AB265DB75E955CB60
                                                                                                                                                                                                                      Function 07A04798 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000000.00000002.2158230679.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7a00000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 066987c0f835b79196bb463ed0977ed748124c9e0fc73c39b61b2a4b17cc9737
                                                                                                                                                                                                                      • Instruction ID: 2908d48e2b45599724acbcace72d29c7f1900869dcdaf5f92c0f727a119af673
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 066987c0f835b79196bb463ed0977ed748124c9e0fc73c39b61b2a4b17cc9737
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AA512AB4E002598FDB14CFA9D9809AEFBB6BF89301F24C56AD418A7355C7319942CFA1

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:1.5%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                                                                                                      Signature Coverage:5.8%
                                                                                                                                                                                                                      Total number of Nodes:553
                                                                                                                                                                                                                      Total number of Limit Nodes:68
                                                                                                                                                                                                                      execution_graph 91965 41f180 91966 41f18b 91965->91966 91968 41b940 91965->91968 91969 41b966 91968->91969 91976 409d40 91969->91976 91971 41b972 91972 41b993 91971->91972 91984 40c1c0 91971->91984 91972->91966 91974 41b985 92020 41a680 91974->92020 92023 409c90 91976->92023 91978 409d54 91978->91971 91979 409d4d 91979->91978 92035 409c30 91979->92035 91985 40c1e5 91984->91985 92448 40b1c0 91985->92448 91987 40c23c 92452 40ae40 91987->92452 91989 40c262 92019 40c4b3 91989->92019 92461 4143a0 91989->92461 91991 40c2a7 91991->92019 92464 408a60 91991->92464 91993 40c2eb 91993->92019 92472 41a4d0 91993->92472 91997 40c341 91998 40c348 91997->91998 92484 419fe0 91997->92484 91999 41bd90 2 API calls 91998->91999 92001 40c355 91999->92001 92001->91974 92003 40c392 92004 41bd90 2 API calls 92003->92004 92005 40c399 92004->92005 92005->91974 92006 40c3a2 92007 40f4a0 3 API calls 92006->92007 92008 40c416 92007->92008 92008->91998 92009 40c421 92008->92009 92010 41bd90 2 API calls 92009->92010 92011 40c445 92010->92011 92489 41a030 92011->92489 92014 419fe0 2 API calls 92015 40c480 92014->92015 92015->92019 92494 419df0 92015->92494 92018 41a680 2 API calls 92018->92019 92019->91974 92021 41af30 LdrLoadDll 92020->92021 92022 41a69f ExitProcess 92021->92022 92022->91972 92054 418b90 92023->92054 92027 409cb6 92027->91979 92028 409cac 92028->92027 92061 41b280 92028->92061 92030 409cf3 92030->92027 92072 409ab0 92030->92072 92032 409d13 92078 409620 LdrLoadDll 92032->92078 92034 409d25 92034->91979 92036 409c4a 92035->92036 92037 41b570 LdrLoadDll 92035->92037 92423 41b570 92036->92423 92037->92036 92040 41b570 LdrLoadDll 92041 409c71 92040->92041 92042 40f180 92041->92042 92043 40f199 92042->92043 92431 40b040 92043->92431 92045 40f1ac 92435 41a1b0 92045->92435 92048 409d65 92048->91971 92050 40f1d2 92051 40f1fd 92050->92051 92441 41a230 92050->92441 92053 41a460 2 API calls 92051->92053 92053->92048 92055 418b9f 92054->92055 92079 414e50 92055->92079 92057 409ca3 92058 418a40 92057->92058 92085 41a5d0 92058->92085 92062 41b299 92061->92062 92092 414a50 92062->92092 92064 41b2b1 92065 41b2ba 92064->92065 92131 41b0c0 92064->92131 92065->92030 92067 41b2ce 92067->92065 92149 419ed0 92067->92149 92075 409aca 92072->92075 92401 407ea0 92072->92401 92074 409ad1 92074->92032 92075->92074 92414 408160 92075->92414 92078->92034 92080 414e5e 92079->92080 92081 414e6a 92079->92081 92080->92081 92084 4152d0 LdrLoadDll 92080->92084 92081->92057 92083 414fbc 92083->92057 92084->92083 92088 41af30 92085->92088 92087 418a55 92087->92028 92089 41af40 92088->92089 92091 41af62 92088->92091 92090 414e50 LdrLoadDll 92089->92090 92090->92091 92091->92087 92093 414d85 92092->92093 92095 414a64 92092->92095 92093->92064 92095->92093 92157 419c20 92095->92157 92096 414b44 92097 414b90 92096->92097 92098 414b73 92096->92098 92101 414b7d 92096->92101 92162 41a330 92097->92162 92219 41a430 LdrLoadDll 92098->92219 92101->92064 92102 414bb7 92103 41bd90 2 API calls 92102->92103 92105 414bc3 92103->92105 92104 414d49 92107 41a460 2 API calls 92104->92107 92105->92101 92105->92104 92106 414d5f 92105->92106 92111 414c52 92105->92111 92228 414790 LdrLoadDll NtReadFile NtClose 92106->92228 92108 414d50 92107->92108 92108->92064 92110 414d72 92110->92064 92112 414cb9 92111->92112 92113 414c61 92111->92113 92112->92104 92114 414ccc 92112->92114 92115 414c66 92113->92115 92116 414c7a 92113->92116 92221 41a2b0 92114->92221 92220 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 92115->92220 92120 414c97 92116->92120 92121 414c7f 92116->92121 92120->92108 92177 414410 92120->92177 92165 4146f0 92121->92165 92123 414c70 92123->92064 92125 414d2c 92225 41a460 92125->92225 92126 414c8d 92126->92064 92129 414caf 92129->92064 92130 414d38 92130->92064 92132 41b0d1 92131->92132 92133 41b0e3 92132->92133 92246 41bd10 92132->92246 92133->92067 92135 41b104 92249 414070 92135->92249 92137 41b150 92137->92067 92138 41b127 92138->92137 92139 414070 3 API calls 92138->92139 92141 41b149 92139->92141 92141->92137 92274 415390 92141->92274 92142 41b1da 92143 41b1ea 92142->92143 92368 41aed0 LdrLoadDll 92142->92368 92284 41ad40 92143->92284 92146 41b218 92363 419e90 92146->92363 92148 41b242 92148->92067 92148->92148 92150 41af30 LdrLoadDll 92149->92150 92151 419eec 92150->92151 92395 15d2c0a 92151->92395 92152 419f07 92154 41bd90 92152->92154 92398 41a640 92154->92398 92156 41b329 92156->92030 92158 419c3c 92157->92158 92159 41af30 LdrLoadDll 92157->92159 92158->92096 92160 41af30 LdrLoadDll 92158->92160 92159->92158 92161 419c7c 92160->92161 92161->92096 92163 41af30 LdrLoadDll 92162->92163 92164 41a34c NtCreateFile 92163->92164 92164->92102 92166 41470c 92165->92166 92167 41a2b0 LdrLoadDll 92166->92167 92168 41472d 92167->92168 92169 414734 92168->92169 92170 414748 92168->92170 92171 41a460 2 API calls 92169->92171 92172 41a460 2 API calls 92170->92172 92173 41473d 92171->92173 92174 414751 92172->92174 92173->92126 92229 41bfa0 LdrLoadDll RtlAllocateHeap 92174->92229 92176 41475c 92176->92126 92178 41445b 92177->92178 92179 41448e 92177->92179 92180 41a2b0 LdrLoadDll 92178->92180 92181 4145d9 92179->92181 92185 4144aa 92179->92185 92182 414476 92180->92182 92183 41a2b0 LdrLoadDll 92181->92183 92184 41a460 2 API calls 92182->92184 92189 4145f4 92183->92189 92186 41447f 92184->92186 92187 41a2b0 LdrLoadDll 92185->92187 92186->92129 92188 4144c5 92187->92188 92191 4144e1 92188->92191 92192 4144cc 92188->92192 92242 41a2f0 LdrLoadDll 92189->92242 92195 4144e6 92191->92195 92201 4144fc 92191->92201 92194 41a460 2 API calls 92192->92194 92193 41462e 92197 41a460 2 API calls 92193->92197 92198 4144d5 92194->92198 92196 41a460 2 API calls 92195->92196 92199 4144ef 92196->92199 92202 414639 92197->92202 92198->92129 92199->92129 92200 414501 92206 414513 92200->92206 92233 41a3e0 92200->92233 92201->92200 92230 41bf60 92201->92230 92202->92129 92205 414567 92207 41457e 92205->92207 92241 41a270 LdrLoadDll 92205->92241 92206->92129 92209 414585 92207->92209 92210 41459a 92207->92210 92211 41a460 2 API calls 92209->92211 92212 41a460 2 API calls 92210->92212 92211->92206 92213 4145a3 92212->92213 92214 4145cf 92213->92214 92236 41bb60 92213->92236 92214->92129 92216 4145ba 92217 41bd90 2 API calls 92216->92217 92218 4145c3 92217->92218 92218->92129 92219->92101 92220->92123 92222 41af30 LdrLoadDll 92221->92222 92223 414d14 92222->92223 92224 41a2f0 LdrLoadDll 92223->92224 92224->92125 92226 41af30 LdrLoadDll 92225->92226 92227 41a47c NtClose 92226->92227 92227->92130 92228->92110 92229->92176 92243 41a600 92230->92243 92232 41bf78 92232->92200 92234 41a3fc NtReadFile 92233->92234 92235 41af30 LdrLoadDll 92233->92235 92234->92205 92235->92234 92237 41bb84 92236->92237 92238 41bb6d 92236->92238 92237->92216 92238->92237 92239 41bf60 2 API calls 92238->92239 92240 41bb9b 92239->92240 92240->92216 92241->92207 92242->92193 92244 41af30 LdrLoadDll 92243->92244 92245 41a61c RtlAllocateHeap 92244->92245 92245->92232 92369 41a510 92246->92369 92248 41bd3d 92248->92135 92250 414081 92249->92250 92251 414089 92249->92251 92250->92138 92273 41435c 92251->92273 92372 41cf00 92251->92372 92253 4140dd 92254 41cf00 2 API calls 92253->92254 92257 4140e8 92254->92257 92255 414136 92258 41cf00 2 API calls 92255->92258 92257->92255 92377 41cfa0 92257->92377 92259 41414a 92258->92259 92260 41cf00 2 API calls 92259->92260 92262 4141bd 92260->92262 92261 41cf00 2 API calls 92267 414205 92261->92267 92262->92261 92264 414334 92384 41cf60 LdrLoadDll RtlFreeHeap 92264->92384 92266 41433e 92385 41cf60 LdrLoadDll RtlFreeHeap 92266->92385 92383 41cf60 LdrLoadDll RtlFreeHeap 92267->92383 92269 414348 92386 41cf60 LdrLoadDll RtlFreeHeap 92269->92386 92271 414352 92387 41cf60 LdrLoadDll RtlFreeHeap 92271->92387 92273->92138 92275 4153a1 92274->92275 92276 414a50 8 API calls 92275->92276 92278 4153b7 92276->92278 92277 41540a 92277->92142 92278->92277 92279 4153f2 92278->92279 92280 415405 92278->92280 92281 41bd90 2 API calls 92279->92281 92282 41bd90 2 API calls 92280->92282 92283 4153f7 92281->92283 92282->92277 92283->92142 92388 41ac00 92284->92388 92287 41ac00 LdrLoadDll 92288 41ad5d 92287->92288 92289 41ac00 LdrLoadDll 92288->92289 92290 41ad66 92289->92290 92291 41ac00 LdrLoadDll 92290->92291 92292 41ad6f 92291->92292 92293 41ac00 LdrLoadDll 92292->92293 92294 41ad78 92293->92294 92295 41ac00 LdrLoadDll 92294->92295 92296 41ad81 92295->92296 92297 41ac00 LdrLoadDll 92296->92297 92298 41ad8d 92297->92298 92299 41ac00 LdrLoadDll 92298->92299 92300 41ad96 92299->92300 92301 41ac00 LdrLoadDll 92300->92301 92302 41ad9f 92301->92302 92303 41ac00 LdrLoadDll 92302->92303 92304 41ada8 92303->92304 92305 41ac00 LdrLoadDll 92304->92305 92306 41adb1 92305->92306 92307 41ac00 LdrLoadDll 92306->92307 92308 41adba 92307->92308 92309 41ac00 LdrLoadDll 92308->92309 92310 41adc6 92309->92310 92311 41ac00 LdrLoadDll 92310->92311 92312 41adcf 92311->92312 92313 41ac00 LdrLoadDll 92312->92313 92314 41add8 92313->92314 92315 41ac00 LdrLoadDll 92314->92315 92316 41ade1 92315->92316 92317 41ac00 LdrLoadDll 92316->92317 92318 41adea 92317->92318 92319 41ac00 LdrLoadDll 92318->92319 92320 41adf3 92319->92320 92321 41ac00 LdrLoadDll 92320->92321 92322 41adff 92321->92322 92323 41ac00 LdrLoadDll 92322->92323 92324 41ae08 92323->92324 92325 41ac00 LdrLoadDll 92324->92325 92326 41ae11 92325->92326 92327 41ac00 LdrLoadDll 92326->92327 92328 41ae1a 92327->92328 92329 41ac00 LdrLoadDll 92328->92329 92330 41ae23 92329->92330 92331 41ac00 LdrLoadDll 92330->92331 92332 41ae2c 92331->92332 92333 41ac00 LdrLoadDll 92332->92333 92334 41ae38 92333->92334 92335 41ac00 LdrLoadDll 92334->92335 92336 41ae41 92335->92336 92337 41ac00 LdrLoadDll 92336->92337 92338 41ae4a 92337->92338 92339 41ac00 LdrLoadDll 92338->92339 92340 41ae53 92339->92340 92341 41ac00 LdrLoadDll 92340->92341 92342 41ae5c 92341->92342 92343 41ac00 LdrLoadDll 92342->92343 92344 41ae65 92343->92344 92345 41ac00 LdrLoadDll 92344->92345 92346 41ae71 92345->92346 92347 41ac00 LdrLoadDll 92346->92347 92348 41ae7a 92347->92348 92349 41ac00 LdrLoadDll 92348->92349 92350 41ae83 92349->92350 92351 41ac00 LdrLoadDll 92350->92351 92352 41ae8c 92351->92352 92353 41ac00 LdrLoadDll 92352->92353 92354 41ae95 92353->92354 92355 41ac00 LdrLoadDll 92354->92355 92356 41ae9e 92355->92356 92357 41ac00 LdrLoadDll 92356->92357 92358 41aeaa 92357->92358 92359 41ac00 LdrLoadDll 92358->92359 92360 41aeb3 92359->92360 92361 41ac00 LdrLoadDll 92360->92361 92362 41aebc 92361->92362 92362->92146 92364 41af30 LdrLoadDll 92363->92364 92365 419eac 92364->92365 92394 15d2df0 LdrInitializeThunk 92365->92394 92366 419ec3 92366->92148 92368->92143 92370 41a52c NtAllocateVirtualMemory 92369->92370 92371 41af30 LdrLoadDll 92369->92371 92370->92248 92371->92370 92373 41cf10 92372->92373 92374 41cf16 92372->92374 92373->92253 92375 41bf60 2 API calls 92374->92375 92376 41cf3c 92375->92376 92376->92253 92378 41cfc5 92377->92378 92379 41cffd 92377->92379 92380 41bf60 2 API calls 92378->92380 92379->92257 92381 41cfda 92380->92381 92382 41bd90 2 API calls 92381->92382 92382->92379 92383->92264 92384->92266 92385->92269 92386->92271 92387->92273 92389 41ac1b 92388->92389 92390 414e50 LdrLoadDll 92389->92390 92391 41ac3b 92390->92391 92392 414e50 LdrLoadDll 92391->92392 92393 41ace7 92391->92393 92392->92393 92393->92287 92394->92366 92396 15d2c1f LdrInitializeThunk 92395->92396 92397 15d2c11 92395->92397 92396->92152 92397->92152 92399 41a65c RtlFreeHeap 92398->92399 92400 41af30 LdrLoadDll 92398->92400 92399->92156 92400->92399 92402 407eb0 92401->92402 92403 407eab 92401->92403 92404 41bd10 2 API calls 92402->92404 92403->92075 92407 407ed5 92404->92407 92405 407f38 92405->92075 92406 419e90 2 API calls 92406->92407 92407->92405 92407->92406 92408 407f3e 92407->92408 92413 41bd10 2 API calls 92407->92413 92417 41a590 92407->92417 92409 407f64 92408->92409 92411 41a590 2 API calls 92408->92411 92409->92075 92412 407f55 92411->92412 92412->92075 92413->92407 92415 40817e 92414->92415 92416 41a590 2 API calls 92414->92416 92415->92032 92416->92415 92418 41a5ac 92417->92418 92419 41af30 LdrLoadDll 92417->92419 92422 15d2c70 LdrInitializeThunk 92418->92422 92419->92418 92420 41a5c3 92420->92407 92422->92420 92424 41b593 92423->92424 92427 40acf0 92424->92427 92428 40ad14 92427->92428 92429 40ad50 LdrLoadDll 92428->92429 92430 409c5b 92428->92430 92429->92430 92430->92040 92432 40b063 92431->92432 92433 40b0e0 92432->92433 92446 419c60 LdrLoadDll 92432->92446 92433->92045 92436 41af30 LdrLoadDll 92435->92436 92437 40f1bb 92436->92437 92437->92048 92438 41a7a0 92437->92438 92439 41af30 LdrLoadDll 92438->92439 92440 41a7bf LookupPrivilegeValueW 92439->92440 92440->92050 92442 41a24c 92441->92442 92443 41af30 LdrLoadDll 92441->92443 92447 15d2ea0 LdrInitializeThunk 92442->92447 92443->92442 92444 41a26b 92444->92051 92446->92433 92447->92444 92449 40b1f0 92448->92449 92450 40b040 LdrLoadDll 92449->92450 92451 40b204 92450->92451 92451->91987 92453 40ae51 92452->92453 92454 40ae4d 92452->92454 92455 40ae6a 92453->92455 92456 40ae9c 92453->92456 92454->91989 92499 419ca0 LdrLoadDll 92455->92499 92500 419ca0 LdrLoadDll 92456->92500 92458 40aead 92458->91989 92460 40ae8c 92460->91989 92462 40f4a0 3 API calls 92461->92462 92463 4143c6 92462->92463 92463->91991 92465 408a67 92464->92465 92501 4087a0 92465->92501 92468 408a9d 92468->91993 92469 4087a0 19 API calls 92470 408a8a 92469->92470 92470->92468 92519 40f710 10 API calls 92470->92519 92473 41af30 LdrLoadDll 92472->92473 92474 41a4ec 92473->92474 92638 15d2e80 LdrInitializeThunk 92474->92638 92475 40c322 92477 40f4a0 92475->92477 92478 40f4bd 92477->92478 92639 419f90 92478->92639 92481 40f505 92481->91997 92482 419fe0 2 API calls 92483 40f52e 92482->92483 92483->91997 92485 419ffc 92484->92485 92486 41af30 LdrLoadDll 92484->92486 92645 15d2d10 LdrInitializeThunk 92485->92645 92486->92485 92487 40c385 92487->92003 92487->92006 92490 41af30 LdrLoadDll 92489->92490 92491 41a04c 92490->92491 92646 15d2d30 LdrInitializeThunk 92491->92646 92492 40c459 92492->92014 92495 41af30 LdrLoadDll 92494->92495 92496 419e0c 92495->92496 92647 15d2fb0 LdrInitializeThunk 92496->92647 92497 40c4ac 92497->92018 92499->92460 92500->92458 92502 407ea0 4 API calls 92501->92502 92509 4087ba 92502->92509 92503 408a49 92503->92468 92503->92469 92504 408a3f 92505 408160 2 API calls 92504->92505 92505->92503 92508 419ed0 2 API calls 92508->92509 92509->92503 92509->92504 92509->92508 92511 41a460 LdrLoadDll NtClose 92509->92511 92514 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 92509->92514 92517 419df0 2 API calls 92509->92517 92520 419ce0 92509->92520 92523 4085d0 92509->92523 92535 40f5f0 LdrLoadDll NtClose 92509->92535 92536 419d60 LdrLoadDll 92509->92536 92537 419d90 LdrLoadDll 92509->92537 92538 419e20 LdrLoadDll 92509->92538 92539 4083a0 92509->92539 92555 405f60 LdrLoadDll 92509->92555 92511->92509 92514->92509 92517->92509 92519->92468 92521 41af30 LdrLoadDll 92520->92521 92522 419cfc 92521->92522 92522->92509 92524 4085e6 92523->92524 92556 419850 92524->92556 92526 4085ff 92527 408771 92526->92527 92577 4081a0 92526->92577 92527->92509 92529 4086e5 92529->92527 92530 4083a0 11 API calls 92529->92530 92531 408713 92530->92531 92531->92527 92532 419ed0 2 API calls 92531->92532 92533 408748 92532->92533 92533->92527 92534 41a4d0 2 API calls 92533->92534 92534->92527 92535->92509 92536->92509 92537->92509 92538->92509 92540 4083c9 92539->92540 92617 408310 92540->92617 92543 41a4d0 2 API calls 92545 4083dc 92543->92545 92544 408467 92544->92509 92545->92543 92545->92544 92548 408462 92545->92548 92625 40f670 92545->92625 92546 41a460 2 API calls 92547 40849a 92546->92547 92547->92544 92549 419ce0 LdrLoadDll 92547->92549 92548->92546 92550 4084ff 92549->92550 92550->92544 92629 419d20 92550->92629 92552 408563 92552->92544 92553 414a50 8 API calls 92552->92553 92554 4085b8 92553->92554 92554->92509 92555->92509 92557 41bf60 2 API calls 92556->92557 92558 419867 92557->92558 92584 409310 92558->92584 92560 419882 92561 4198c0 92560->92561 92562 4198a9 92560->92562 92565 41bd10 2 API calls 92561->92565 92563 41bd90 2 API calls 92562->92563 92564 4198b6 92563->92564 92564->92526 92566 4198fa 92565->92566 92567 41bd10 2 API calls 92566->92567 92568 419913 92567->92568 92574 419bb4 92568->92574 92590 41bd50 92568->92590 92571 419ba0 92572 41bd90 2 API calls 92571->92572 92573 419baa 92572->92573 92573->92526 92575 41bd90 2 API calls 92574->92575 92576 419c09 92575->92576 92576->92526 92578 40829f 92577->92578 92579 4081b5 92577->92579 92578->92529 92579->92578 92580 414a50 8 API calls 92579->92580 92581 408222 92580->92581 92582 41bd90 2 API calls 92581->92582 92583 408249 92581->92583 92582->92583 92583->92529 92585 409335 92584->92585 92586 40acf0 LdrLoadDll 92585->92586 92587 409368 92586->92587 92589 40938d 92587->92589 92593 40cf20 92587->92593 92589->92560 92611 41a550 92590->92611 92594 40cf4c 92593->92594 92595 41a1b0 LdrLoadDll 92594->92595 92596 40cf65 92595->92596 92597 40cf6c 92596->92597 92604 41a1f0 92596->92604 92597->92589 92601 40cfa7 92602 41a460 2 API calls 92601->92602 92603 40cfca 92602->92603 92603->92589 92605 41a20c 92604->92605 92606 41af30 LdrLoadDll 92604->92606 92610 15d2ca0 LdrInitializeThunk 92605->92610 92606->92605 92607 40cf8f 92607->92597 92609 41a7e0 LdrLoadDll 92607->92609 92609->92601 92610->92607 92612 41af30 LdrLoadDll 92611->92612 92613 41a56c 92612->92613 92616 15d2f90 LdrInitializeThunk 92613->92616 92614 419b99 92614->92571 92614->92574 92616->92614 92618 408328 92617->92618 92619 408343 92618->92619 92620 40acf0 LdrLoadDll 92618->92620 92621 414e50 LdrLoadDll 92619->92621 92620->92619 92622 408353 92621->92622 92623 40835c PostThreadMessageW 92622->92623 92624 408370 92622->92624 92623->92624 92624->92545 92626 40f683 92625->92626 92632 419e60 92626->92632 92630 419d3c 92629->92630 92631 41af30 LdrLoadDll 92629->92631 92630->92552 92631->92630 92633 41af30 LdrLoadDll 92632->92633 92634 419e7c 92633->92634 92637 15d2dd0 LdrInitializeThunk 92634->92637 92635 40f6ae 92635->92545 92637->92635 92638->92475 92640 419fac 92639->92640 92641 41af30 LdrLoadDll 92639->92641 92644 15d2f30 LdrInitializeThunk 92640->92644 92641->92640 92642 40f4fe 92642->92481 92642->92482 92644->92642 92645->92487 92646->92492 92647->92497 92649 15d2ad0 LdrInitializeThunk

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 0041A3DB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID: 1JA$rMA$rMA
                                                                                                                                                                                                                      • API String ID: 2738559852-782607585
                                                                                                                                                                                                                      • Opcode ID: 7aaaa16702adae6d23ede2d680456887a62317e53decf251faaf94379e42fb99
                                                                                                                                                                                                                      • Instruction ID: 40098347e2ccfe5138c34a84cead36b309c134ff29b5ac5e9c21c1f122b9f0a0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7aaaa16702adae6d23ede2d680456887a62317e53decf251faaf94379e42fb99
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BD0129B2211104ABCB14DF99CC85EEB77A9EF8C364F158649FA1D97251C630E912CBA1
                                                                                                                                                                                                                      Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 8 41a3e0-41a3f6 9 41a3fc-41a429 NtReadFile 8->9 10 41a3f7 call 41af30 8->10 10->9
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID: 1JA$rMA$rMA
                                                                                                                                                                                                                      • API String ID: 2738559852-782607585
                                                                                                                                                                                                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                                      • Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                                                                                                                                                      Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 263 40acf0-40ad0c 264 40ad14-40ad19 263->264 265 40ad0f call 41cc20 263->265 266 40ad1b-40ad1e 264->266 267 40ad1f-40ad2d call 41d040 264->267 265->264 270 40ad3d-40ad4e call 41b470 267->270 271 40ad2f-40ad3a call 41d2c0 267->271 276 40ad50-40ad64 LdrLoadDll 270->276 277 40ad67-40ad6a 270->277 271->270 276->277
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Load
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                                                                                                      • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                      • Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95
                                                                                                                                                                                                                      Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 278 41a330-41a381 call 41af30 NtCreateFile
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                                      • Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4
                                                                                                                                                                                                                      Function 0041A50F Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 281 41a50f-41a54d call 41af30 NtAllocateVirtualMemory
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2167126740-0
                                                                                                                                                                                                                      • Opcode ID: 010e29acb7f9fd415614937ca605b5bfb6e9e985f7aa4afa3a131315dc63b2b1
                                                                                                                                                                                                                      • Instruction ID: b6d20d9d9baca4ad67b6d83bb7e3b47810d24a1c747aa2bf8ffe25eb9f604490
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 010e29acb7f9fd415614937ca605b5bfb6e9e985f7aa4afa3a131315dc63b2b1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 99F01CB5211108AFCB14DF99CC81EEB77A9AF88354F15824DFE0997241C630E811CBA0
                                                                                                                                                                                                                      Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 284 41a510-41a526 285 41a52c-41a54d NtAllocateVirtualMemory 284->285 286 41a527 call 41af30 284->286 286->285
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2167126740-0
                                                                                                                                                                                                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                                      • Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                                                                                                      Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                                                                                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                                      • Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0
                                                                                                                                                                                                                      Function 015D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 6c9103fabb4391724a00c641fa909b1130fd69d6f926c90f84624d33a38f5f73
                                                                                                                                                                                                                      • Instruction ID: 7c122859cda5735cfa88d52c7e3190221f5b65acb0d2046d145294b44a1b9722
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6c9103fabb4391724a00c641fa909b1130fd69d6f926c90f84624d33a38f5f73
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF90026160240003410972584418616408AA7E0211B59C421E1014990DC56589916225
                                                                                                                                                                                                                      Function 015D2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 7d2da81e44176e18e9220a696409bafd716d725121281961c9fffbaae946fdc2
                                                                                                                                                                                                                      • Instruction ID: f0b5f0935cc2dc9d4071a46ee16c8387cc77a1a461f7a89fb9a609990cdc0c89
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7d2da81e44176e18e9220a696409bafd716d725121281961c9fffbaae946fdc2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B490023160140802D1847258440864A0085A7D1311F99C415A0025A54DCA558B5977A1
                                                                                                                                                                                                                      Function 015D2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: b7d1248974e066b6edd72bee313a73e1e19e7ccb3f634c3b93a52b10b829d434
                                                                                                                                                                                                                      • Instruction ID: 9ee5cf1ad4533ba3d69f8ab34d69679e2ad236c40905d0591cdb2a83abe633d6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b7d1248974e066b6edd72bee313a73e1e19e7ccb3f634c3b93a52b10b829d434
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F4900225611400030109B658070850700C6A7D5361359C421F1015950CD66189615221
                                                                                                                                                                                                                      Function 015D2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 5f35e8797dcd1400d38196328e0f96112e49db9770b6fa4dd2bc8eeba1da7b2a
                                                                                                                                                                                                                      • Instruction ID: d3050f94d628d1a15d05cdf48969aa9524c8f8b301846272e047fc5d2b938952
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f35e8797dcd1400d38196328e0f96112e49db9770b6fa4dd2bc8eeba1da7b2a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E90022961340002D1847258540C60A0085A7D1212F99D815A0015958CC95589695321
                                                                                                                                                                                                                      Function 015D2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: c2719b3cbf36c9c19091cef01df48aa18c14b089d894eed7efe418973a4d9159
                                                                                                                                                                                                                      • Instruction ID: f5b641957c84a6f71eeca6ec0a6b9a32453f44b981fe0e5842c232b7a3f936cc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c2719b3cbf36c9c19091cef01df48aa18c14b089d894eed7efe418973a4d9159
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B490022170140003D1447258541C6064085F7E1311F59D411E0414954CD95589565322
                                                                                                                                                                                                                      Function 015D2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 88face714ae4c074dc4a6fcd52360478ec455fe1099a00e5ccaf10a9f16c8294
                                                                                                                                                                                                                      • Instruction ID: eee8aa38b1b50d98ceb513abc3a2cfef536e50ae0a5fd733f3ddce4c300c70a8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 88face714ae4c074dc4a6fcd52360478ec455fe1099a00e5ccaf10a9f16c8294
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 14900221642441525549B25844085074086B7E0251799C412A1414D50CC5669956D721
                                                                                                                                                                                                                      Function 015D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 220d5999afe8c2ff18fcbec11b728cf811283856e94346799e0008f8f8c898f4
                                                                                                                                                                                                                      • Instruction ID: 77ac7b294673f5818fa2640514454856cf971841be5eca3eeeee6d53ff32a42e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 220d5999afe8c2ff18fcbec11b728cf811283856e94346799e0008f8f8c898f4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2990023160140413D115725845087070089A7D0251F99C812A0424958DD6968A52A221
                                                                                                                                                                                                                      Function 015D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 64284f91fc8fdcf540f350768119264298cedf07dd77707d9663ceb2cea0c902
                                                                                                                                                                                                                      • Instruction ID: 3e29ed3d29b0892d6e8d646bbcd5991538b16a9bd0b63507ac230cab250efbfd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 64284f91fc8fdcf540f350768119264298cedf07dd77707d9663ceb2cea0c902
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B190023160148802D1147258840874A0085A7D0311F5DC811A4424A58DC6D589917221
                                                                                                                                                                                                                      Function 015D2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: e8ffc84f42d056cc0b72a36485f7f7474db2f0cc67b6840a6b1d846c93593133
                                                                                                                                                                                                                      • Instruction ID: d5cd74440a704be4fc878b21c4a42b1f9e17e6b4b4c46a424fd5871842444df1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8ffc84f42d056cc0b72a36485f7f7474db2f0cc67b6840a6b1d846c93593133
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5B90023160140402D1047698540C6460085A7E0311F59D411A5024955EC6A589916231
                                                                                                                                                                                                                      Function 015D2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: ce995eacf6b4c0c35c86dbe9ef2af3fc310df65fdb0a794a576175a0da7a4483
                                                                                                                                                                                                                      • Instruction ID: b78e8e8ff324cf9dbcd3a4a1f08fb0f1d0d3348591d300edfc8324cec4348ff6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce995eacf6b4c0c35c86dbe9ef2af3fc310df65fdb0a794a576175a0da7a4483
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F890026174140442D10472584418B060085E7E1311F59C415E1064954DC659CD526226
                                                                                                                                                                                                                      Function 015D2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: d3cfe15d7cc3a25e7f2fc1f43a5658a1dade396c9f90ee0ff295e8eae71cc6ad
                                                                                                                                                                                                                      • Instruction ID: 4629a896096f787e29b9ced9ea2940726aaaf89877a930b0fe5ca6ff5ea2a01a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d3cfe15d7cc3a25e7f2fc1f43a5658a1dade396c9f90ee0ff295e8eae71cc6ad
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 90900221611C0042D20476684C18B070085A7D0313F59C515A0154954CC95589615621
                                                                                                                                                                                                                      Function 015D2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: b73ca912fd9458ce907a74d88ad4a9419a731ab8c7b3da4ff8cdf23605081fa7
                                                                                                                                                                                                                      • Instruction ID: 1bb8e5f5c057e8876e665a347d8c6fe5b0954d6acb0d75dd157969071717b09e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b73ca912fd9458ce907a74d88ad4a9419a731ab8c7b3da4ff8cdf23605081fa7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF90023160180402D1047258481870B0085A7D0312F59C411A1164955DC66589516671
                                                                                                                                                                                                                      Function 015D2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 7482a9b6ce8aa6ef3cc75d775cfd718f085ec4dc1a86e959157fd82397053b58
                                                                                                                                                                                                                      • Instruction ID: 13126e730eed9474dac07f22c8ffddf060866756652a52456a96ea34fa4bbab9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7482a9b6ce8aa6ef3cc75d775cfd718f085ec4dc1a86e959157fd82397053b58
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1900221A01400424144726888489064085BBE1221759C521A0998950DC59989655765
                                                                                                                                                                                                                      Function 015D2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: ecea7384fd756249ad23f788594e76d777e8fadf130a5c4b885355a7d595d867
                                                                                                                                                                                                                      • Instruction ID: 29d057ab39bb92cdd35a86d8b03c94b77e9a148133dd738c260234c8b0108f65
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ecea7384fd756249ad23f788594e76d777e8fadf130a5c4b885355a7d595d867
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 90900221A0140502D10572584408616008AA7D0251F99C422A1024955ECA658A92A231
                                                                                                                                                                                                                      Function 015D2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: bc4f4907806136d721d7fa3c68661be19af7c30a1bb64dcb7f80f66371908708
                                                                                                                                                                                                                      • Instruction ID: 527b2bb90c8e7c394b00546424f191cf278eddbc0f293f41837fd272af30c0ec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bc4f4907806136d721d7fa3c68661be19af7c30a1bb64dcb7f80f66371908708
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E890027160140402D144725844087460085A7D0311F59C411A5064954EC6998ED56765
                                                                                                                                                                                                                      Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                                                                                      • Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                                                                                                                                                                                      Function 0041A632 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 11 41a632-41a639 12 41a6a3-41a6a8 ExitProcess 11->12 13 41a63b 11->13 14 41a5f6-41a5fd 13->14 15 41a63d 13->15 17 41a61b-41a631 RtlAllocateHeap 15->17 18 41a63f 15->18 18->12
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                                                                                                                                                                                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateExitHeapProcess
                                                                                                                                                                                                                      • String ID: 6EA
                                                                                                                                                                                                                      • API String ID: 1054155344-1400015478
                                                                                                                                                                                                                      • Opcode ID: 47508782786a64f1a4d8e9ee814f552b76b8f1e01370df25776678557343657f
                                                                                                                                                                                                                      • Instruction ID: f3a8626008191923e07bac595a229e4eb5614c867216e2dd50514f9d6a1fbb57
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 47508782786a64f1a4d8e9ee814f552b76b8f1e01370df25776678557343657f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6CE0C27510B1983AEB18A7B03E858F77F1DC8C121472C4AEAFACC9E407C429916283A6
                                                                                                                                                                                                                      Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 19 41a600-41a631 call 41af30 RtlAllocateHeap
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                      • String ID: 6EA
                                                                                                                                                                                                                      • API String ID: 1279760036-1400015478
                                                                                                                                                                                                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                                      • Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0
                                                                                                                                                                                                                      Function 0041A5C6 Relevance: 1.6, APIs: 1, Instructions: 64memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 217 41a5c6-41a5cc 218 41a59d-41a5a7 call 41af30 217->218 219 41a5ce 217->219 224 41a5ac-41a5c1 call 15d2c70 218->224 221 41a5d0-41a5fd call 41af30 219->221 222 41a64b-41a657 call 41af30 219->222 226 41a65c-41a671 RtlFreeHeap 222->226 228 41a5c3-41a5c5 224->228
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                                                                                                      • Opcode ID: 151e719e1fe50e17b4ef87342ef9202b6ccf1721b88ce42bd16b803d403f5492
                                                                                                                                                                                                                      • Instruction ID: 710bbcc343550d2e60226a4eb97f5427688d4fc6556b828fe111e3aabe4103ba
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 151e719e1fe50e17b4ef87342ef9202b6ccf1721b88ce42bd16b803d403f5492
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E11C2B92053046FDB14EFA8DC81CEB77A8EF84318B40854AFC5947302D234E962CBB5
                                                                                                                                                                                                                      Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 231 408310-40833d call 41be30 call 41c9d0 236 408343-40835a call 414e50 231->236 237 40833e call 40acf0 231->237 240 40835c-40836e PostThreadMessageW 236->240 241 40838e-408392 236->241 237->236 242 408370-40838a call 40a480 240->242 243 40838d 240->243 242->243 243->241
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1836367815-0
                                                                                                                                                                                                                      • Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                                                                                      • Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                                                                                                                                                      Function 004082D3 Relevance: 1.6, APIs: 1, Instructions: 52threadwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 246 4082d3-4082df 247 4082e1-4082fd call 41b870 call 41b720 246->247 248 408337-40835a call 40acf0 call 414e50 246->248 257 40835c-40836e PostThreadMessageW 248->257 258 40838e-408392 248->258 259 408370-40838a call 40a480 257->259 260 40838d 257->260 259->260 260->258
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1836367815-0
                                                                                                                                                                                                                      • Opcode ID: 7c12312fb9c11a5d82f084d113b032006b16db5ca1e92a579f808e6171a4af43
                                                                                                                                                                                                                      • Instruction ID: 967da45d43d500b0c3c5d9e15febe837a69d4a3a08b03dd864461a48f287fc59
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7c12312fb9c11a5d82f084d113b032006b16db5ca1e92a579f808e6171a4af43
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1017D32A4032932E62166653D43FFA730C9B41F64F04017FFE04FB2C1EAA9A91142EA
                                                                                                                                                                                                                      Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 287 41a640-41a656 288 41a65c-41a671 RtlFreeHeap 287->288 289 41a657 call 41af30 287->289 289->288
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                                                                                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                                      • Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0
                                                                                                                                                                                                                      Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 290 41a7a0-41a7d4 call 41af30 LookupPrivilegeValueW
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3899507212-0
                                                                                                                                                                                                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                                      • Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                                                                                                                      Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExitProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 621844428-0
                                                                                                                                                                                                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                                      • Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1
                                                                                                                                                                                                                      Function 015D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 1949cef9742fc98c6a8476f2eb4c5e89e3a55229c98486c4f0ad34eba3bdb5e8
                                                                                                                                                                                                                      • Instruction ID: dd5498e994d33f10a70b297bf6bc3704806a627ca2b025b84a5387940168edff
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1949cef9742fc98c6a8476f2eb4c5e89e3a55229c98486c4f0ad34eba3bdb5e8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0EB09B71D025C5D5DA16E764460C71B794077D0711F19C461D2030A42F4778C5D1E375

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 01648D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01648E86
                                                                                                                                                                                                                      • an invalid address, %p, xrefs: 01648F7F
                                                                                                                                                                                                                      • *** enter .exr %p for the exception record, xrefs: 01648FA1
                                                                                                                                                                                                                      • The resource is owned shared by %d threads, xrefs: 01648E2E
                                                                                                                                                                                                                      • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01648F26
                                                                                                                                                                                                                      • *** Resource timeout (%p) in %ws:%s, xrefs: 01648E02
                                                                                                                                                                                                                      • *** enter .cxr %p for the context, xrefs: 01648FBD
                                                                                                                                                                                                                      • write to, xrefs: 01648F56
                                                                                                                                                                                                                      • Go determine why that thread has not released the critical section., xrefs: 01648E75
                                                                                                                                                                                                                      • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01648E3F
                                                                                                                                                                                                                      • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01648DB5
                                                                                                                                                                                                                      • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01648DA3
                                                                                                                                                                                                                      • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01648D8C
                                                                                                                                                                                                                      • read from, xrefs: 01648F5D, 01648F62
                                                                                                                                                                                                                      • *** then kb to get the faulting stack, xrefs: 01648FCC
                                                                                                                                                                                                                      • The instruction at %p tried to %s , xrefs: 01648F66
                                                                                                                                                                                                                      • *** An Access Violation occurred in %ws:%s, xrefs: 01648F3F
                                                                                                                                                                                                                      • This failed because of error %Ix., xrefs: 01648EF6
                                                                                                                                                                                                                      • <unknown>, xrefs: 01648D2E, 01648D81, 01648E00, 01648E49, 01648EC7, 01648F3E
                                                                                                                                                                                                                      • *** Inpage error in %ws:%s, xrefs: 01648EC8
                                                                                                                                                                                                                      • a NULL pointer, xrefs: 01648F90
                                                                                                                                                                                                                      • The critical section is owned by thread %p., xrefs: 01648E69
                                                                                                                                                                                                                      • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01648F2D
                                                                                                                                                                                                                      • The instruction at %p referenced memory at %p., xrefs: 01648EE2
                                                                                                                                                                                                                      • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01648F34
                                                                                                                                                                                                                      • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01648E4B
                                                                                                                                                                                                                      • The resource is owned exclusively by thread %p, xrefs: 01648E24
                                                                                                                                                                                                                      • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01648DD3
                                                                                                                                                                                                                      • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01648FEF
                                                                                                                                                                                                                      • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01648DC4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                                                                                                                                                                      • API String ID: 0-108210295
                                                                                                                                                                                                                      • Opcode ID: 1fd191c84f85602bdc1655f00d6519fcb4adb26c2eedc5c8119e923e973f1180
                                                                                                                                                                                                                      • Instruction ID: c452c27acce51b4e6b3ec5a70722b4c2de42fb3fb714b9cc7756293239f06130
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1fd191c84f85602bdc1655f00d6519fcb4adb26c2eedc5c8119e923e973f1180
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3981F575A40211BFDB21AA99CC45DAB3F3AFF56F54F05408CF6086F252E7798812CAA1
                                                                                                                                                                                                                      Function 01612349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-2160512332
                                                                                                                                                                                                                      • Opcode ID: 753cf0473531ffbebf807b5f258825d112e43e3b1894a6fa2dab422dd1fe2bca
                                                                                                                                                                                                                      • Instruction ID: 06b2a617b03c5080b7b7583baf575935f9110f62788112b56b5754a1c5cf9f25
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 753cf0473531ffbebf807b5f258825d112e43e3b1894a6fa2dab422dd1fe2bca
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 10929A71604342AFE721CE28CC90B6BB7E9BB84714F28492DFA95DB354D770E844CB92
                                                                                                                                                                                                                      Function 015C8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016054E2
                                                                                                                                                                                                                      • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0160540A, 01605496, 01605519
                                                                                                                                                                                                                      • 8, xrefs: 016052E3
                                                                                                                                                                                                                      • undeleted critical section in freed memory, xrefs: 0160542B
                                                                                                                                                                                                                      • Thread identifier, xrefs: 0160553A
                                                                                                                                                                                                                      • Thread is in a state in which it cannot own a critical section, xrefs: 01605543
                                                                                                                                                                                                                      • corrupted critical section, xrefs: 016054C2
                                                                                                                                                                                                                      • Critical section debug info address, xrefs: 0160541F, 0160552E
                                                                                                                                                                                                                      • Address of the debug info found in the active list., xrefs: 016054AE, 016054FA
                                                                                                                                                                                                                      • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016054CE
                                                                                                                                                                                                                      • Critical section address., xrefs: 01605502
                                                                                                                                                                                                                      • double initialized or corrupted critical section, xrefs: 01605508
                                                                                                                                                                                                                      • Invalid debug info address of this critical section, xrefs: 016054B6
                                                                                                                                                                                                                      • Critical section address, xrefs: 01605425, 016054BC, 01605534
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                                                                                      • API String ID: 0-2368682639
                                                                                                                                                                                                                      • Opcode ID: 3b70742a387fda5c4bbd6a03b38d6d0336959543e73da586f49a154c12b9a070
                                                                                                                                                                                                                      • Instruction ID: 75fe547f71fddd1670b9ba8b3e9d4e6b13011bda2b096ad9f998424988c7758b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b70742a387fda5c4bbd6a03b38d6d0336959543e73da586f49a154c12b9a070
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02817AB1A41349AFEB25CF99CC45BAEBBB5FB48B14F104119E505BB280D3B1A941CBA0
                                                                                                                                                                                                                      Function 015C29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01602506
                                                                                                                                                                                                                      • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01602602
                                                                                                                                                                                                                      • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01602498
                                                                                                                                                                                                                      • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01602624
                                                                                                                                                                                                                      • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01602409
                                                                                                                                                                                                                      • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016024C0
                                                                                                                                                                                                                      • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01602412
                                                                                                                                                                                                                      • RtlpResolveAssemblyStorageMapEntry, xrefs: 0160261F
                                                                                                                                                                                                                      • @, xrefs: 0160259B
                                                                                                                                                                                                                      • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016022E4
                                                                                                                                                                                                                      • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016025EB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                                                                                                      • API String ID: 0-4009184096
                                                                                                                                                                                                                      • Opcode ID: 1b653e6362ea8df0b8668b534cf8f50968fe2b4b0fe7d3294d6cc8fb0e9b2b4a
                                                                                                                                                                                                                      • Instruction ID: 3176527dc945a18ccef7d677beeacc02393115b914cb7bf5f62102f57b02aab3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b653e6362ea8df0b8668b534cf8f50968fe2b4b0fe7d3294d6cc8fb0e9b2b4a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB025EB1D002299FDB25DF54CC94BDAB7B8BF54704F0441EEA609AB281EB709E84CF59
                                                                                                                                                                                                                      Function 01638B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                                                                                                      • API String ID: 0-2515994595
                                                                                                                                                                                                                      • Opcode ID: 051d0a5bfa22310cde095405b79f5a7b1fd9be0fe005d23fdda80f0b0717538c
                                                                                                                                                                                                                      • Instruction ID: c4d36d7c45579d865188b1984fcbfec690d3b9ce9e715fc415b40681771995d4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 051d0a5bfa22310cde095405b79f5a7b1fd9be0fe005d23fdda80f0b0717538c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D3519B725143029BD329CF288C48BABBBECFFD8654F144A1DB99987241E770DA05CBD2
                                                                                                                                                                                                                      Function 015AAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                                                                                                                                                                      • API String ID: 0-3197712848
                                                                                                                                                                                                                      • Opcode ID: dfb9b5ac055fc7f7e2554c3536b922351dc4569798fe6b6d06492bf2f7ec7500
                                                                                                                                                                                                                      • Instruction ID: 67084ef804c7a0d3ee8c6642343b83029381a8b4317910db317d3bcecae713e2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dfb9b5ac055fc7f7e2554c3536b922351dc4569798fe6b6d06492bf2f7ec7500
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0712EF716483429FD725DF28C880BAEB7E5BF84704F844A1DFA958F291E770D944CB92
                                                                                                                                                                                                                      Function 01640274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                                                                                                      • API String ID: 0-1700792311
                                                                                                                                                                                                                      • Opcode ID: 2858f580c102991b266aff57c73279242d6be801eb10ec390c75c9ba6ca1f4eb
                                                                                                                                                                                                                      • Instruction ID: 51857c86373650716a5f2e9ce594073e2f0d8e756a59441848fc7a6e06378613
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2858f580c102991b266aff57c73279242d6be801eb10ec390c75c9ba6ca1f4eb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FED1CE316006A6EFDB26EF68C840AEDBBF6FF49610F088149F646AB752C734D941CB54
                                                                                                                                                                                                                      Function 0159ADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
                                                                                                                                                                                                                      • API String ID: 0-664215390
                                                                                                                                                                                                                      • Opcode ID: 0e7246a57d036611459637cb2ce0210222a5a468458c6675385b0095ea715094
                                                                                                                                                                                                                      • Instruction ID: 67d201195e2d7ae3cd28e4b51b8a85fa2808629b22da9fa1b3cf83b72e64c9fa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e7246a57d036611459637cb2ce0210222a5a468458c6675385b0095ea715094
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7E32AE709042698BEF22CB18D898BEEBBB5FF45340F1441EAE949AF251D7319E81CF51
                                                                                                                                                                                                                      Function 016189B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01618A67
                                                                                                                                                                                                                      • VerifierDebug, xrefs: 01618CA5
                                                                                                                                                                                                                      • VerifierDlls, xrefs: 01618CBD
                                                                                                                                                                                                                      • AVRF: -*- final list of providers -*- , xrefs: 01618B8F
                                                                                                                                                                                                                      • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01618A3D
                                                                                                                                                                                                                      • VerifierFlags, xrefs: 01618C50
                                                                                                                                                                                                                      • HandleTraces, xrefs: 01618C8F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                                                                                                      • API String ID: 0-3223716464
                                                                                                                                                                                                                      • Opcode ID: 284fdea9e0a23e4e394eb215a8aa40acfc5bdcf057511ae3d29375025a0b2d46
                                                                                                                                                                                                                      • Instruction ID: e9dccd21a847dc7a377d57cd14286cbec616c7189ea0cb285213ae8d03255a22
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 284fdea9e0a23e4e394eb215a8aa40acfc5bdcf057511ae3d29375025a0b2d46
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8912672A41702AFD721EF68CC90B6A7BA9FB94B14F48465CFA42AF258C7709C01C795
                                                                                                                                                                                                                      Function 01614DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • LdrpGenericExceptionFilter, xrefs: 01614DFC
                                                                                                                                                                                                                      • ***Exception thrown within loader***, xrefs: 01614E27
                                                                                                                                                                                                                      • minkernel\ntdll\ldrutil.c, xrefs: 01614E06
                                                                                                                                                                                                                      • Execute '.cxr %p' to dump context, xrefs: 01614EB1
                                                                                                                                                                                                                      • LdrpProtectedCopyMemory, xrefs: 01614DF4
                                                                                                                                                                                                                      • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 01614DF5
                                                                                                                                                                                                                      • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 01614E38
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
                                                                                                                                                                                                                      • API String ID: 0-2973941816
                                                                                                                                                                                                                      • Opcode ID: b26429e112849fd9b1985686a185df61139d3299c2afd84af2fa7a9383e93223
                                                                                                                                                                                                                      • Instruction ID: 10fed323d61501e4222beb9c27a71adfbeafd9382f5043d3c97809b7c193ca09
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b26429e112849fd9b1985686a185df61139d3299c2afd84af2fa7a9383e93223
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 68210B72188107BBE728AA6C9C47D367BADFB85B70F1C0509F1119F759CF50D911C265
                                                                                                                                                                                                                      Function 0159EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                                                                                                                      • API String ID: 0-1109411897
                                                                                                                                                                                                                      • Opcode ID: b6c04525dc527ddacb9bd6850d4a4b6f56e0c1760f2a4fb01d2edc78f611a4ca
                                                                                                                                                                                                                      • Instruction ID: fe22e31b174e97f1e31f88c4ab10505159ae4bcaa453011ec58da2c3cc7beceb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b6c04525dc527ddacb9bd6850d4a4b6f56e0c1760f2a4fb01d2edc78f611a4ca
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1A22874A0562A8FDF64DF18CD887AEBBB5BF45304F1442EAD909AB250DB309E81CF51
                                                                                                                                                                                                                      Function 015C63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-792281065
                                                                                                                                                                                                                      • Opcode ID: f245f494a02bca524fe77893276ac52501f76e8bb1a83fc3b95ccd5db6190aeb
                                                                                                                                                                                                                      • Instruction ID: 8d7b75a5455382d253eeee169b85ae14ca31f506f6abc449003d19a3ccca0948
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f245f494a02bca524fe77893276ac52501f76e8bb1a83fc3b95ccd5db6190aeb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AB910470B00316AFDB3AAF98DC85BAEBBA1BB50B14F14425CDA016F3C1DBB09901C795
                                                                                                                                                                                                                      Function 0158645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Getting the shim user exports failed with status 0x%08lx, xrefs: 015E9A01
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 015E9A11, 015E9A3A
                                                                                                                                                                                                                      • Loading the shim user DLL failed with status 0x%08lx, xrefs: 015E9A2A
                                                                                                                                                                                                                      • apphelp.dll, xrefs: 01586496
                                                                                                                                                                                                                      • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 015E99ED
                                                                                                                                                                                                                      • LdrpInitShimEngine, xrefs: 015E99F4, 015E9A07, 015E9A30
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-204845295
                                                                                                                                                                                                                      • Opcode ID: b35290789fce67f3f58b6a8bc802f8360ed364204db67cda5f668ea0c9ae8f4d
                                                                                                                                                                                                                      • Instruction ID: 2bfbd30a55d350deee2651dfdb88b91695c808962cc42f16e638eca6fe15ca9a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b35290789fce67f3f58b6a8bc802f8360ed364204db67cda5f668ea0c9ae8f4d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 42519F71608305AFE725EF24DC45AAFB7E9FF84648F40091DE585AF260D670E944CB92
                                                                                                                                                                                                                      Function 015C2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01602178
                                                                                                                                                                                                                      • SXS: %s() passed the empty activation context, xrefs: 01602165
                                                                                                                                                                                                                      • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0160219F
                                                                                                                                                                                                                      • RtlGetAssemblyStorageRoot, xrefs: 01602160, 0160219A, 016021BA
                                                                                                                                                                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01602180
                                                                                                                                                                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016021BF
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                                                                                      • API String ID: 0-861424205
                                                                                                                                                                                                                      • Opcode ID: 5f7d298cc6879ba6215782a751ddbef87187aa54e27673b32b968262ac74a0e1
                                                                                                                                                                                                                      • Instruction ID: 70479e687f8b0c9c1813c5039002a8e0156343971cae9615e4fc9599cd2eb385
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f7d298cc6879ba6215782a751ddbef87187aa54e27673b32b968262ac74a0e1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2312A36A40211BBE7128ED5DC89F5B7AB9FF54E40F0540ADBB04AF240D7709A01C6A0
                                                                                                                                                                                                                      Function 015CC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 015CC6C3
                                                                                                                                                                                                                      • Unable to build import redirection Table, Status = 0x%x, xrefs: 016081E5
                                                                                                                                                                                                                      • LdrpInitializeImportRedirection, xrefs: 01608177, 016081EB
                                                                                                                                                                                                                      • LdrpInitializeProcess, xrefs: 015CC6C4
                                                                                                                                                                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01608181, 016081F5
                                                                                                                                                                                                                      • Loading import redirection DLL: '%wZ', xrefs: 01608170
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                                      • API String ID: 0-475462383
                                                                                                                                                                                                                      • Opcode ID: d0cb001743aa248665aad7c96c376f75fc13e30fadd768483816af5b3c4d701f
                                                                                                                                                                                                                      • Instruction ID: 3d1c9ef19e16245658153fdffde39ee118036a789d2028541097d6384ddfd47a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0cb001743aa248665aad7c96c376f75fc13e30fadd768483816af5b3c4d701f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AD31E071644712AFC324EF68DD86E2B7795BFD4B24F040A6CF944AF291E660EC04C7A2
                                                                                                                                                                                                                      Function 015D096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 015D2DF0: LdrInitializeThunk.NTDLL ref: 015D2DFA
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D0BA3
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D0BB6
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D0D60
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D0D74
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1404860816-0
                                                                                                                                                                                                                      • Opcode ID: aa6f3a84fe3c172d5602b9f941ba37ccbd71a9cdf6e35f1e8d180a067a86d194
                                                                                                                                                                                                                      • Instruction ID: a29bbe668b590112b164c4d164c9a55b92ebfc049cd5c5fac63f90de54a538d1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aa6f3a84fe3c172d5602b9f941ba37ccbd71a9cdf6e35f1e8d180a067a86d194
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B6425A71900716DFDB25CF28C880BAAB7F5FF44314F1445AAE9899B282D770AA85CF60
                                                                                                                                                                                                                      Function 0159A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                                                                                                      • API String ID: 0-379654539
                                                                                                                                                                                                                      • Opcode ID: 03c042d9c5b7bd2ce449d04f7dac8e5aca71056ab94c28616d3ec1260575cbc0
                                                                                                                                                                                                                      • Instruction ID: 0abf4257855c6b09729cf8ba5588c97204a98bfbd12837d044a299474b48c4a8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 03c042d9c5b7bd2ce449d04f7dac8e5aca71056ab94c28616d3ec1260575cbc0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15C169746083829FDB21CF58C144B6AB7E4BF85704F04896EFA998F251E774C949CBA3
                                                                                                                                                                                                                      Function 015C8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 015C8421
                                                                                                                                                                                                                      • LdrpInitializeProcess, xrefs: 015C8422
                                                                                                                                                                                                                      • @, xrefs: 015C8591
                                                                                                                                                                                                                      • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 015C855E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-1918872054
                                                                                                                                                                                                                      • Opcode ID: 5bc1626fe3f95e0182ae6513468e3acee36b9b545cc619e6f70ea5a5260ede53
                                                                                                                                                                                                                      • Instruction ID: 574bf112b7c7dfdc0caf7b82bf0e21cf7bfc036c6e7f3c8f17e0396f7fc9a3d6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5bc1626fe3f95e0182ae6513468e3acee36b9b545cc619e6f70ea5a5260ede53
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD919E71508346AFE722DF65CC80EAFBAECBF94B44F40092EF6859A150E374D904CB62
                                                                                                                                                                                                                      Function 015C273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • .Local, xrefs: 015C28D8
                                                                                                                                                                                                                      • SXS: %s() passed the empty activation context, xrefs: 016021DE
                                                                                                                                                                                                                      • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016021D9, 016022B1
                                                                                                                                                                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016022B6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                                                                                                      • API String ID: 0-1239276146
                                                                                                                                                                                                                      • Opcode ID: 8b880e59180ea33041531c06fe0db1aba83dcee4d45dc169be3732775f29fda2
                                                                                                                                                                                                                      • Instruction ID: 3f1facf24e6b014fa1ac4847276c1a8a2c62660d1c7d8a43c2725902871a29d5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b880e59180ea33041531c06fe0db1aba83dcee4d45dc169be3732775f29fda2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B5A19C3190022A9FDB25CFA8DC88BAAB7B1BF58754F1545EDD908AB251D7709EC0CF90
                                                                                                                                                                                                                      Function 015C4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01603437
                                                                                                                                                                                                                      • RtlDeactivateActivationContext, xrefs: 01603425, 01603432, 01603451
                                                                                                                                                                                                                      • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0160342A
                                                                                                                                                                                                                      • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01603456
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                                                                                                                      • API String ID: 0-1245972979
                                                                                                                                                                                                                      • Opcode ID: 94ff738cc87528d263f23eda47e04817e6ce60aa153da2626b8b13524d822215
                                                                                                                                                                                                                      • Instruction ID: 29582c4a6ebe4e29e90d9f54958dde9cc1adaec5983934b099d3a2d4be2d916b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94ff738cc87528d263f23eda47e04817e6ce60aa153da2626b8b13524d822215
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E961FD366416129FDB278E5CCC92F2AB7E1FF80B11F15852DE8559F390DB30E8018B91
                                                                                                                                                                                                                      Function 015964AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 015F10AE
                                                                                                                                                                                                                      • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 015F106B
                                                                                                                                                                                                                      • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 015F0FE5
                                                                                                                                                                                                                      • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 015F1028
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                                                                                                      • API String ID: 0-1468400865
                                                                                                                                                                                                                      • Opcode ID: f28d942f4e6dbe5e16af3f7a432539ec323f5cadff884569fa65f8b61c4fc9f5
                                                                                                                                                                                                                      • Instruction ID: 5c912b82d0b8419f707fbc1472d3fa86f8d0bd59909ea2bac73b5a626e0fca50
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f28d942f4e6dbe5e16af3f7a432539ec323f5cadff884569fa65f8b61c4fc9f5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7071B0B19043069FCB21DF18C885B9B7BA9BF95764F844868F9488F186D734D588CBD2
                                                                                                                                                                                                                      Function 015C4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0160362F
                                                                                                                                                                                                                      • LdrpFindDllActivationContext, xrefs: 01603636, 01603662
                                                                                                                                                                                                                      • minkernel\ntdll\ldrsnap.c, xrefs: 01603640, 0160366C
                                                                                                                                                                                                                      • Querying the active activation context failed with status 0x%08lx, xrefs: 0160365C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                                                                                                                                                                      • API String ID: 0-3779518884
                                                                                                                                                                                                                      • Opcode ID: cb944319119d279bcb392f66471d2eddf761f7296ee36c2adc31daa69150c030
                                                                                                                                                                                                                      • Instruction ID: a2d550128816e4e603b5cf66810f571bd13a4027871274765d393381157bee9a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cb944319119d279bcb392f66471d2eddf761f7296ee36c2adc31daa69150c030
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EA31F972A00651AEDF36BE8CCC69F3E76A4BB01F54F06416EE9055F261DBA0DC8087D5
                                                                                                                                                                                                                      Function 015B245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 015FA9A2
                                                                                                                                                                                                                      • apphelp.dll, xrefs: 015B2462
                                                                                                                                                                                                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 015FA992
                                                                                                                                                                                                                      • LdrpDynamicShimModule, xrefs: 015FA998
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-176724104
                                                                                                                                                                                                                      • Opcode ID: 5c3a6290bf378068f2d59e38b0228a5f0b391ca9d5d2c43fe40c85d5be26c211
                                                                                                                                                                                                                      • Instruction ID: 5737df50f2a51b5261ae8b8c303ff5f631d19a748b2858119d04fcf500f8d061
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5c3a6290bf378068f2d59e38b0228a5f0b391ca9d5d2c43fe40c85d5be26c211
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8314671610202BBDB31AF59DD81EAE7BB4FB80B00F16012DEA056F345C7B0A851C791
                                                                                                                                                                                                                      Function 015A29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • HEAP[%wZ]: , xrefs: 015A3255
                                                                                                                                                                                                                      • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 015A327D
                                                                                                                                                                                                                      • HEAP: , xrefs: 015A3264
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                                                                                                      • API String ID: 0-617086771
                                                                                                                                                                                                                      • Opcode ID: 534154be0c48d553f66fae68609f4cf9e933dc98f236505f57d21acb3b9b2e0f
                                                                                                                                                                                                                      • Instruction ID: 4681bb58c2f26c377d9a70c33667ef7b3dcf4282a5ba644cd7b8bb80acf91450
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 534154be0c48d553f66fae68609f4cf9e933dc98f236505f57d21acb3b9b2e0f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E992DC70A442499FDB25CFA8C4457AEBBF1FF48304F5884A9E95AAF351D334A941CF50
                                                                                                                                                                                                                      Function 015A0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                      • API String ID: 0-4253913091
                                                                                                                                                                                                                      • Opcode ID: e26830a80e191111c067ea18c2ac7319ff63817ae729d6af1f51430dd059b676
                                                                                                                                                                                                                      • Instruction ID: 899a5227f074a1cfd4147768bb830d0cbe2a41cae65609bf3d428a3f67cea99c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e26830a80e191111c067ea18c2ac7319ff63817ae729d6af1f51430dd059b676
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34F19B30A50606DFEB25CF68C894B6EBBF5FB44304F5486A8E5469F391D730E981CB90
                                                                                                                                                                                                                      Function 015B6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: $@
                                                                                                                                                                                                                      • API String ID: 2994545307-1077428164
                                                                                                                                                                                                                      • Opcode ID: ec4e16244196d3136ac8bf84fc58643e5f0b2081c0839f7a7d0605e9d70ca0fb
                                                                                                                                                                                                                      • Instruction ID: e90d2920bf5ef704da3b1441429fe58c46ca41138d25bb3f1500a1e873199468
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec4e16244196d3136ac8bf84fc58643e5f0b2081c0839f7a7d0605e9d70ca0fb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 88C25D716083459FDB25CF28C881BAFBBE5BFC8754F04892DEA898B291D734D845CB52
                                                                                                                                                                                                                      Function 0158A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                                                                                      • API String ID: 0-2779062949
                                                                                                                                                                                                                      • Opcode ID: a517b525724dbcae17cc69e64e96a1bd83acd7aa17d2c20fd003c9ab6de2f2cd
                                                                                                                                                                                                                      • Instruction ID: f29983a5c6bfca4f9ca0771e46d44eb12c801ce49ca42f8b09a3a0749fec1160
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a517b525724dbcae17cc69e64e96a1bd83acd7aa17d2c20fd003c9ab6de2f2cd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 58A13C71D1162A9BDB359F68CC88BADB7B8FF48710F1041EAD909AB250E7359E84CF50
                                                                                                                                                                                                                      Function 015B0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 015FA121
                                                                                                                                                                                                                      • Failed to allocated memory for shimmed module list, xrefs: 015FA10F
                                                                                                                                                                                                                      • LdrpCheckModule, xrefs: 015FA117
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-161242083
                                                                                                                                                                                                                      • Opcode ID: 466805270c8ac7d85d1e3c8fd4ef79af23f30780748b184c381c48ce8298f5eb
                                                                                                                                                                                                                      • Instruction ID: 3ef61e475d686ddc25d2fb1cc75a3214722d401e4d71753ae64ba604f75ece1a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 466805270c8ac7d85d1e3c8fd4ef79af23f30780748b184c381c48ce8298f5eb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F71EC70A00206EFDB25EF68CC81ABEB7F4FB88704F15442DE906AF291E730A941CB51
                                                                                                                                                                                                                      Function 015A0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                      • API String ID: 0-1334570610
                                                                                                                                                                                                                      • Opcode ID: d7ae889b22459333fb3a56340bf87ddc0a59b6bbecf1b70a7334c9e850e83775
                                                                                                                                                                                                                      • Instruction ID: ec933785e8d95cd12b8ad395f13cc1eedc889c3c3bc1967b0cd5f4f7dbbf6159
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d7ae889b22459333fb3a56340bf87ddc0a59b6bbecf1b70a7334c9e850e83775
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E619D706603069FDB29DF28C940B6EBBE1FF44704F54855DE95A8F292D770E881CB91
                                                                                                                                                                                                                      Function 015CC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • LdrpInitializePerUserWindowsDirectory, xrefs: 016082DE
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 016082E8
                                                                                                                                                                                                                      • Failed to reallocate the system dirs string !, xrefs: 016082D7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-1783798831
                                                                                                                                                                                                                      • Opcode ID: a6e2b09511265d4f6110b94caf52d32033857abcadfa661994f37597d0e5e3d5
                                                                                                                                                                                                                      • Instruction ID: 533c75133a2566ef4758803167121ee7c727d54acfcc8a87609da03ede72ae15
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a6e2b09511265d4f6110b94caf52d32033857abcadfa661994f37597d0e5e3d5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D41D071550312ABC721EFA8DC44B5F7BE8FB98B54F004A2EB949DB290E770D8108B92
                                                                                                                                                                                                                      Function 0164C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0164C1C5
                                                                                                                                                                                                                      • @, xrefs: 0164C1F1
                                                                                                                                                                                                                      • PreferredUILanguages, xrefs: 0164C212
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                                                                                                      • API String ID: 0-2968386058
                                                                                                                                                                                                                      • Opcode ID: e12375df721db5eddfd1cf3694e8fc9088d935822dcf0506dc59c040db29e335
                                                                                                                                                                                                                      • Instruction ID: c499b643916bef4a51ba988129c7cf8eeac2772d9f48b1dac4cae7a6f380fad4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e12375df721db5eddfd1cf3694e8fc9088d935822dcf0506dc59c040db29e335
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 38416271E1120AEBDB11DED9CC51FEFBBB8BB54704F14806AE605B7340E7B49A458B50
                                                                                                                                                                                                                      Function 01624144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                                                                                                      • API String ID: 0-1373925480
                                                                                                                                                                                                                      • Opcode ID: aa202f814b564eabbddd6b0b9124eacc10859c5efe3c8ea085f5a1341b259f0b
                                                                                                                                                                                                                      • Instruction ID: d6f5a90e7c66356d33f3074fc264097ad29073c01750ff5a6f5e2b2d8083ac41
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aa202f814b564eabbddd6b0b9124eacc10859c5efe3c8ea085f5a1341b259f0b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71410131A01A69CBEB229BE9CC44BACBBB8FF96340F244459D901EF381DB758901CF51
                                                                                                                                                                                                                      Function 01614755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01614888
                                                                                                                                                                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01614899
                                                                                                                                                                                                                      • LdrpCheckRedirection, xrefs: 0161488F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                                      • API String ID: 0-3154609507
                                                                                                                                                                                                                      • Opcode ID: 2f87cb72fec8fa5d708c61dbbf0f6274d5fc7e18c8ce65d3c7eefbb2cf6af616
                                                                                                                                                                                                                      • Instruction ID: e6c1565e1e20f6a50ebd16a337b9993ac8a317f6d54e2d2684df811a1e8e1e8f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f87cb72fec8fa5d708c61dbbf0f6274d5fc7e18c8ce65d3c7eefbb2cf6af616
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2641C172A046519FCB62CE6CDC40A267BE9BF49B90F0E066DED499B359DB30D801CB91
                                                                                                                                                                                                                      Function 015A0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                                      • API String ID: 0-2558761708
                                                                                                                                                                                                                      • Opcode ID: a63a6729dfc6857c4b7e1c2c7f23d6260b878a1f80deb7c44ff02a468e0c1d5e
                                                                                                                                                                                                                      • Instruction ID: cde7c993a81f93480e6dadb452fbf354d9102a9e1a21cdae6727c3ed7337bbeb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a63a6729dfc6857c4b7e1c2c7f23d6260b878a1f80deb7c44ff02a468e0c1d5e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D11DC313B41069FDB29DA28C848B6EB3A8FF80A16F18856DF506CF291EB34E841C754
                                                                                                                                                                                                                      Function 016120DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01612104
                                                                                                                                                                                                                      • LdrpInitializationFailure, xrefs: 016120FA
                                                                                                                                                                                                                      • Process initialization failed with status 0x%08lx, xrefs: 016120F3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                                      • API String ID: 0-2986994758
                                                                                                                                                                                                                      • Opcode ID: 3d024ac136c10fb3b156c0fa01b52034fd525324b1302916ca5e04578d2e895a
                                                                                                                                                                                                                      • Instruction ID: 82ed088170871627eab7cf2df1020d1b3ee2f87abb402bfa4fa9cc247ef5346e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d024ac136c10fb3b156c0fa01b52034fd525324b1302916ca5e04578d2e895a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2EF02234640309BBE724E64DDC53FAA3B68FB40B04F24045CFB006B785D2B0E980C684
                                                                                                                                                                                                                      Function 015A03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: #%u
                                                                                                                                                                                                                      • API String ID: 48624451-232158463
                                                                                                                                                                                                                      • Opcode ID: 60f6b0faa07c47b0d6657a799b9c9f341a7de3d2fe24bb2c6dd8a6ac6c02d17e
                                                                                                                                                                                                                      • Instruction ID: caae78899ba3c019b759af512f8b2a7a2d4815e10baaa71677096e014533ce93
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60f6b0faa07c47b0d6657a799b9c9f341a7de3d2fe24bb2c6dd8a6ac6c02d17e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D715D71A0014ADFDB11DFA8C990BAEB7F8FF48344F144069EA05EB291E634ED41CBA0
                                                                                                                                                                                                                      Function 0159A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • LdrResSearchResource Enter, xrefs: 0159AA13
                                                                                                                                                                                                                      • LdrResSearchResource Exit, xrefs: 0159AA25
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                                                                                                      • API String ID: 0-4066393604
                                                                                                                                                                                                                      • Opcode ID: ed75efd26afe91f5355411e8a6912c2c24fd5a573488b9fc7d7f0ecb7e0b34c3
                                                                                                                                                                                                                      • Instruction ID: 2cc58f759065872adc2c06ce2fbe586920ba84f9b42e685cc1e57b41e3a4897e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ed75efd26afe91f5355411e8a6912c2c24fd5a573488b9fc7d7f0ecb7e0b34c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 90E15171A002199FEF22CE99C984BAEBBBAFF44314F14452AEA11EF251D774D940CB61
                                                                                                                                                                                                                      Function 0165A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: `$`
                                                                                                                                                                                                                      • API String ID: 0-197956300
                                                                                                                                                                                                                      • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                                                                      • Instruction ID: 46bf9d5aa0e49a6f98937b1f546f2cef9a9a5bd7f0d1cade37b8c344fc50d197
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D4C1BF312043429BEB65CFA8CC41B6BBBE6BFC4318F084A2DFA968B291D775D505CB51
                                                                                                                                                                                                                      Function 0160E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: Legacy$UEFI
                                                                                                                                                                                                                      • API String ID: 2994545307-634100481
                                                                                                                                                                                                                      • Opcode ID: 590b6f9aee0e2498c77b2501a929dcc6e7e03c67939115fc4ac1768e44020e10
                                                                                                                                                                                                                      • Instruction ID: 6e3a0a466c9a581836b7d34cadcb67ee424e89d88cf4a286ec762894a8f0b948
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 590b6f9aee0e2498c77b2501a929dcc6e7e03c67939115fc4ac1768e44020e10
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F7614171E046199FDB29DFA8CC40BAEBBB9FB44700F15486EE649EB291D7319901CB50
                                                                                                                                                                                                                      Function 016343D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: @$MUI
                                                                                                                                                                                                                      • API String ID: 0-17815947
                                                                                                                                                                                                                      • Opcode ID: 4eb0bb5793919812ae047da061cd3b2ceb3e7e444212e009365c807bfa7cb036
                                                                                                                                                                                                                      • Instruction ID: 80ee57c2bc3b5ab7a66f3caed0bea8fe952e138b7ac453cd14e9372f070a5047
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4eb0bb5793919812ae047da061cd3b2ceb3e7e444212e009365c807bfa7cb036
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12510871E0021EAEDF11DFA9CC90AEEBBB9FB84754F104529E611AB290DB749905CB60
                                                                                                                                                                                                                      Function 015904E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • kLsE, xrefs: 01590540
                                                                                                                                                                                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0159063D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                                                                                      • API String ID: 0-2547482624
                                                                                                                                                                                                                      • Opcode ID: 0b5c8fdca190b570f947a3c5990e41aeb8c6eda46b4814543564f76cf09f7fc5
                                                                                                                                                                                                                      • Instruction ID: c045c69b439c6e2276934af09093cb9bf7bfd8ef7f5a5cfb27137e803150397e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0b5c8fdca190b570f947a3c5990e41aeb8c6eda46b4814543564f76cf09f7fc5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE51B0715047429BDB24DF68C5406ABBBE9BFC4304F104C3EEA9A8B281E734D545CB92
                                                                                                                                                                                                                      Function 0159A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RtlpResUltimateFallbackInfo Enter, xrefs: 0159A2FB
                                                                                                                                                                                                                      • RtlpResUltimateFallbackInfo Exit, xrefs: 0159A309
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                                                                                      • API String ID: 0-2876891731
                                                                                                                                                                                                                      • Opcode ID: 98e045a751d2da57daed018879231db87a1fdf968a984e93af757a5deafb5ff5
                                                                                                                                                                                                                      • Instruction ID: dab72030c4982cf8e8fd713ec913080950cf7c2fe30a1335dd2b963afb0e9e70
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 98e045a751d2da57daed018879231db87a1fdf968a984e93af757a5deafb5ff5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F7418C71A0464ADBDB11CF59C840B6EBBF4FF84704F1444A9EE00DF295E2B5D940CBA2
                                                                                                                                                                                                                      Function 015CA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID: Cleanup Group$Threadpool!
                                                                                                                                                                                                                      • API String ID: 2994545307-4008356553
                                                                                                                                                                                                                      • Opcode ID: 063f751863b1a1ee458660fcad87b801983d5d153682114944f51a315432e6d2
                                                                                                                                                                                                                      • Instruction ID: 3ea5c3ae1ba7a6773c76e9554682b9610451a4ef26cb1637c3cc331e3a886b8b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 063f751863b1a1ee458660fcad87b801983d5d153682114944f51a315432e6d2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A001D1B2654748AFD321DF64CD45B167BE8F784B19F00893DA648CB190F374D844CB46
                                                                                                                                                                                                                      Function 0159C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: MUI
                                                                                                                                                                                                                      • API String ID: 0-1339004836
                                                                                                                                                                                                                      • Opcode ID: ac4f5ed3d8d09c2a5d625e9dc1e004d780641804e4e48da2e032205c201ab9a4
                                                                                                                                                                                                                      • Instruction ID: 65ff8d832bff0c4d81e18df79926ba7042df25794d9ae8271257ea0f20f25538
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac4f5ed3d8d09c2a5d625e9dc1e004d780641804e4e48da2e032205c201ab9a4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F826A75E002198FEF25CFA9C980BEDBBB5BF48310F148169E919AF391D770A941CB52
                                                                                                                                                                                                                      Function 01616420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 0-3916222277
                                                                                                                                                                                                                      • Opcode ID: 1581faa1144ada766ce92ca7ef059f960b794cb24c35fe367aea4d1b7510a0f8
                                                                                                                                                                                                                      • Instruction ID: e2ddae38a2fe650344882bd47bd052e34b5f0b66d1beaca83b9e28b7337923d6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1581faa1144ada766ce92ca7ef059f960b794cb24c35fe367aea4d1b7510a0f8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F916071A4121AAFEB21DF99CC85FAEBBB9FF54750F144065F600AB294D774AD00CBA0
                                                                                                                                                                                                                      Function 015CA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: GlobalTags
                                                                                                                                                                                                                      • API String ID: 0-1106856819
                                                                                                                                                                                                                      • Opcode ID: 7a33ecc541f95399652535e51796f887c7aa3be0dec58b60b6200a7fa9c335ea
                                                                                                                                                                                                                      • Instruction ID: 68a78e46a734cb9974799164a33210d45bf26772d98b073e29884b59d85002a6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7a33ecc541f95399652535e51796f887c7aa3be0dec58b60b6200a7fa9c335ea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C714175E0021A9FDF19CF9CD9906AEBBB1BF88710F14812DE505AB381E7719951CB60
                                                                                                                                                                                                                      Function 01634978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .mui
                                                                                                                                                                                                                      • API String ID: 0-1199573805
                                                                                                                                                                                                                      • Opcode ID: cdb59990749f9ca95a40806ca1f91250ce37740cc5162cc548e4677b191b3c47
                                                                                                                                                                                                                      • Instruction ID: 51e690ce4e3e2ccb8db6a00189169f56d19f7049c6adb8c69ab9ffba47b8e9f3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cdb59990749f9ca95a40806ca1f91250ce37740cc5162cc548e4677b191b3c47
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 61518372D0022A9BDF14DF99DC40AAEFBB4BF84650F05416AE911BB354DB749C02CBE4
                                                                                                                                                                                                                      Function 015AE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: EXT-
                                                                                                                                                                                                                      • API String ID: 0-1948896318
                                                                                                                                                                                                                      • Opcode ID: f263eb9b8fa4944cd562b70084cf9e4837507744087c0e2752b84fecd7019f43
                                                                                                                                                                                                                      • Instruction ID: db6d926acd5ee29a2f62cf14281278c9dfe8de447f141fbac7dc718867b71fb0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f263eb9b8fa4944cd562b70084cf9e4837507744087c0e2752b84fecd7019f43
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F4181725483429BD710DA79C981B6FBBE8FFC8614F84092DF684DF180E674D904C7A2
                                                                                                                                                                                                                      Function 0158CDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: AlternateCodePage
                                                                                                                                                                                                                      • API String ID: 0-3889302423
                                                                                                                                                                                                                      • Opcode ID: 2dde17d751308ec6f648d8312810109888be8d810bac4834cef8e6d2ca6cc3d0
                                                                                                                                                                                                                      • Instruction ID: 16be2bfbf45783762d4b9dd08c45273bfa3530aad6eb5c2515f86ab396ea096b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2dde17d751308ec6f648d8312810109888be8d810bac4834cef8e6d2ca6cc3d0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3641A675D0021AEBDF29DBA9CC84AEEBBF8FF84710F14415AE511EB250D7749A41CB50
                                                                                                                                                                                                                      Function 0160C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: BinaryHash
                                                                                                                                                                                                                      • API String ID: 0-2202222882
                                                                                                                                                                                                                      • Opcode ID: f9f71523bd7147b5f336ce14459495fcf6eb7f3c5e6486ddca83ead7b0f7274d
                                                                                                                                                                                                                      • Instruction ID: b4779608049adb8cddab0aeb9425a605efc8c49f28f5041facceb236eae3ab10
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f9f71523bd7147b5f336ce14459495fcf6eb7f3c5e6486ddca83ead7b0f7274d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F14145B1D0052DABDB21DA54CC84FDFB77DAB45714F0146E5EA08AB180DB709E898F98
                                                                                                                                                                                                                      Function 01626B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: #
                                                                                                                                                                                                                      • API String ID: 0-1885708031
                                                                                                                                                                                                                      • Opcode ID: 9f978518afac21f0d57b059d7afb8ee5a0993be762c72ae7c601e2aa28085425
                                                                                                                                                                                                                      • Instruction ID: 21783af9cb31f6a3f9a746dfc93ba47b54d53cb79f1a697bc3e310a0d435d6c8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f978518afac21f0d57b059d7afb8ee5a0993be762c72ae7c601e2aa28085425
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9431E531B00A699AEB22EB69CC50BEE7BA8EF44704F544068ED41AF282D775D815CF50
                                                                                                                                                                                                                      Function 0160CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: BinaryName
                                                                                                                                                                                                                      • API String ID: 0-215506332
                                                                                                                                                                                                                      • Opcode ID: 2c9469abf03b4bcfafef18f3bb5afb03fdf4d24e4490cb0d0bff1083b643deb8
                                                                                                                                                                                                                      • Instruction ID: 8d1591ce9ace2496ce715455c37ad7adc111679dc7319c2b03fe24f27390891e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c9469abf03b4bcfafef18f3bb5afb03fdf4d24e4490cb0d0bff1083b643deb8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F031E536900916AFEB1ADA59CC55E6FBB74FF80710F1142A9E905AB290D730DE04DBE0
                                                                                                                                                                                                                      Function 0161892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0161895E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                                                                                                      • API String ID: 0-702105204
                                                                                                                                                                                                                      • Opcode ID: 8248e92661356623c9f6ab55b7a90bda3e52aac5063590d5937e1a62f61f2c8c
                                                                                                                                                                                                                      • Instruction ID: 64b8d1d6ac23d240c278e710413ebece4d8e6be205238496725b71cfed1c5e57
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8248e92661356623c9f6ab55b7a90bda3e52aac5063590d5937e1a62f61f2c8c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A901F732610202AFE7346E5D9C94A6A7B6AFFC57A4B0C191CF6421B669CF206881C796
                                                                                                                                                                                                                      Function 01632000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 39187277d691cd4cb7c4e82ecaffca208e72f57aa55bdbbe96cd81deb39fdddb
                                                                                                                                                                                                                      • Instruction ID: f0b8d7cd69eae8425c0673d5410579b29b297d91ca66977e3e5f0fe0d9517c9b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 39187277d691cd4cb7c4e82ecaffca208e72f57aa55bdbbe96cd81deb39fdddb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6942AF316083429BE725CF68CCA0A6BBBE5BFC8700F49492DFA8297350D771D949CB52
                                                                                                                                                                                                                      Function 01628158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 54e7ce91dabbee860db94c371294d9d7fadc5b9b24868337c764f2554439b833
                                                                                                                                                                                                                      • Instruction ID: 3c4ada9ff4a4903a70a9db42a631fad0c9de9f18feb378e6ce65a43c8751c857
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 54e7ce91dabbee860db94c371294d9d7fadc5b9b24868337c764f2554439b833
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48424D75E006299FEB24CF69CC81BADBBF9BF88300F158199E949EB241D7349985CF50
                                                                                                                                                                                                                      Function 015A2840 Relevance: .6, Instructions: 605COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ad3e0d6e0384656a6fb7d03ad1d47bd046be0afc4655712d9e069992395fab8f
                                                                                                                                                                                                                      • Instruction ID: 20e116fe8f36b49dba8eb1f8b7fe8b52af07f57fb3636c27c12108de7816792c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad3e0d6e0384656a6fb7d03ad1d47bd046be0afc4655712d9e069992395fab8f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C832DC70A007568FEB25CF69C8547BEBBF2BF84704F24451DE68A9F285DB35A842CB50
                                                                                                                                                                                                                      Function 0163A118 Relevance: .6, Instructions: 591COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8bf76c7a83cd4ffa5d1892498ab858c1384ebb42b6b530d0b2763a37b5b09089
                                                                                                                                                                                                                      • Instruction ID: 8aaef71b6924779f4fd435707c30a502e69509182f759f1cee77b31ee7ade9d1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8bf76c7a83cd4ffa5d1892498ab858c1384ebb42b6b530d0b2763a37b5b09089
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B622BE742046618BEB25CFADC894772BBF1AF85300F08855AE9D6CF386D735E452EB60
                                                                                                                                                                                                                      Function 01596A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 58a8d3c3dae2d1d29ee0db5fac2e361c5d1d8c6c3e5787fc762381899c1cf192
                                                                                                                                                                                                                      • Instruction ID: 9812f7d706734afa15927172a42ec3b68331e03aa980b5826098f6ec9054a998
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58a8d3c3dae2d1d29ee0db5fac2e361c5d1d8c6c3e5787fc762381899c1cf192
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1328B75A00605CFDF25CFA8C880AAEBBF2FF88310F144569EA56AB391D734E845CB51
                                                                                                                                                                                                                      Function 015B4A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                                                                      • Instruction ID: fecccd2611f362c14b9f5defd40a7cc6a8d4797a8fcd2b8817c86ddc77684ad4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DFF12D71E0021A9FDF25CF99D590AEEBBF5BF48710F048529EA06AF245E774D841CB60
                                                                                                                                                                                                                      Function 0162892B Relevance: .4, Instructions: 386COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4650ffbf900f7df5d51169bbe5facf3e32b699c93ed5a414a5720c49956fca17
                                                                                                                                                                                                                      • Instruction ID: 1694610eaa3fcbd57f15b1a710079bf895729335d8a18bc0588f716ca09cc3c3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4650ffbf900f7df5d51169bbe5facf3e32b699c93ed5a414a5720c49956fca17
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C6D1F271E00A2A8BDF15CF68CC41AFEB7F9BF88304F188169D955A7241D735E9068F60
                                                                                                                                                                                                                      Function 015965D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5f8b0b3fb6ccb64d5825ca536856928e66d78dd9117cdc27c12115f223511ff5
                                                                                                                                                                                                                      • Instruction ID: 51a62ff285a59cbe19d572b5a8d7a922ecfaff33d3c8de607962444ddff3cc9d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f8b0b3fb6ccb64d5825ca536856928e66d78dd9117cdc27c12115f223511ff5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1FE17F71508342CFCB15CF28C590A6EBBE1FF89314F05896DE9998B351EB31E909CB92
                                                                                                                                                                                                                      Function 01588397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: af7c353b32be1fb83a68e6dcffe7335eab7dad780219f73022a7c8b3cae739f3
                                                                                                                                                                                                                      • Instruction ID: fb85fe095832ac08a465baebab75495ab4cba96992447acf10f48aea931d0bd8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: af7c353b32be1fb83a68e6dcffe7335eab7dad780219f73022a7c8b3cae739f3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 83D1C071A006079BDB18EF69C890ABE77F5FF94308F544629E916EF290E734E950CB60
                                                                                                                                                                                                                      Function 01618243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                                                                      • Instruction ID: fc5bcf14e287fa5c9ccbfcd25cf61fb574695ad021e2e0eb0a9e3d972e0794df
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2CB19375A00605AFDB25DF99CD40EABBBBEFF84304F18845DAA0297798DB34E905CB50
                                                                                                                                                                                                                      Function 015A0535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                                                                      • Instruction ID: 5988b7d412e276c184cc3f547b391534933f4dfa8d8f6b3985983f7811b8dac2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92B1F431610646AFDB25DBA8C850BBFBBF6BF88304F540559E6569F381EB30E941CB90
                                                                                                                                                                                                                      Function 015983C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2215dca57fd01bab1afac735b0cdd01bb6c7d366cad7f7676c08d6a35ba24822
                                                                                                                                                                                                                      • Instruction ID: 997466e09dbd316a1c05eedd5188cd5cf72195dbc253d9a33c9960b417c7a065
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2215dca57fd01bab1afac735b0cdd01bb6c7d366cad7f7676c08d6a35ba24822
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 14C15870108345DFD764CF19C494BAEBBE5BF88304F44492DEA898B291E774E908CF92
                                                                                                                                                                                                                      Function 0158C427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0ee7ca8997babccb47d3c08484442bd290823409bcd1edd68b04f5d518271d6f
                                                                                                                                                                                                                      • Instruction ID: a915ad3a8260706c1ee740c4da14b1311d581c41d5ddd0c5c5cf1c322ede678b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ee7ca8997babccb47d3c08484442bd290823409bcd1edd68b04f5d518271d6f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34B15F70A002668BDB64DF68C890BADB7F5BF84704F0485E9D54AAB291EB709D85CB31
                                                                                                                                                                                                                      Function 015BE5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e7462e9d1da3f7e3dc399ca7db54b211c2fc135a1dc4a1d63bf9ef97e94e9b98
                                                                                                                                                                                                                      • Instruction ID: 7bb8b61ad608cfa97956a5e6a5e80baf9b33d2f5081a95fc7f4cbee4d3494d1b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e7462e9d1da3f7e3dc399ca7db54b211c2fc135a1dc4a1d63bf9ef97e94e9b98
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DAA12632E00659AFEB21DF98C885BEEBBA4FB01754F08011AEB51AF691D7749D40CBD1
                                                                                                                                                                                                                      Function 015D0185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7c861fdefd95251dd21e52ddaf271468501957b57ec4b1a13c45917aeb1bfe42
                                                                                                                                                                                                                      • Instruction ID: 9eb3b467e5451931326c57747c8a4f6f21680dd06f31a85e91c1bc805d3f0cfd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7c861fdefd95251dd21e52ddaf271468501957b57ec4b1a13c45917aeb1bfe42
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 22A1A070B016169BEB35DF6DC990BBEB7A5FF54318F004529EA499B2C2DB34E811CB90
                                                                                                                                                                                                                      Function 01664500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0ebde36031e6193a6600d50071067d2a836674804275a6e2dc10b1c51708af59
                                                                                                                                                                                                                      • Instruction ID: a1e26bce7ff292a5555ecd5d4b62d3506767966d02f2a2a93c44558209bc88c2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ebde36031e6193a6600d50071067d2a836674804275a6e2dc10b1c51708af59
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BEA1CB72A10252AFC721DF18CD80B6ABBE9FF88708F45462CE5899B750DB34EC51CB91
                                                                                                                                                                                                                      Function 016160E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: dc61b3cf30b873d4f8b2d33d21ba00ac69ff6ebd3e206e41f7c9b1252b912291
                                                                                                                                                                                                                      • Instruction ID: 67c053a95efe9f940cbef240a4db82e09531b9c84fe3ce866445e1385becd370
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc61b3cf30b873d4f8b2d33d21ba00ac69ff6ebd3e206e41f7c9b1252b912291
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F91B075E00216AFDB15CFA8DC90BAEBFB5AF48710F194169E610EB355D7B4E9008BA0
                                                                                                                                                                                                                      Function 015AE3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4b614e2d22daded9cad21b1ca526c67bd3f0c481b269ac366245fb5a1f6245f5
                                                                                                                                                                                                                      • Instruction ID: 302bc20eb6c49223ba306611f52dd4a34523d91cc2a2986f3060c1d42b55ee7c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4b614e2d22daded9cad21b1ca526c67bd3f0c481b269ac366245fb5a1f6245f5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13914531A40616CBEB24EB58D841B7DBBE1FF88718F454469EA459F280E734D941CBA1
                                                                                                                                                                                                                      Function 015E6ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2ffa6eceb965f4adc5d09f9335d5bcc9d89c23a941f0fb8c1996bbda66c574c9
                                                                                                                                                                                                                      • Instruction ID: c9001a00a22348dfb1ec850edb1d8d2d847cc11427cc8d01fcc84618d5a140bb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2ffa6eceb965f4adc5d09f9335d5bcc9d89c23a941f0fb8c1996bbda66c574c9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E81A3B1E006169FDB28CF69D944ABEBBF9FB58740F04852EE455EB640E334D940CBA4
                                                                                                                                                                                                                      Function 0165AB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                                                                      • Instruction ID: b40d23d0d0803aa22e3b53c0ba26bfea274d82b14ec5c39e25c909f1151a8fae
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80818272A0020A9FDF59DF99C890AAEBBF6BF84310F14866DDD169B345D734E901CB80
                                                                                                                                                                                                                      Function 01586D10 Relevance: .2, Instructions: 216COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a3f0c79ff021a43700c04f984ab1f40bc47145f0104107d54bd4c1ab1989b868
                                                                                                                                                                                                                      • Instruction ID: cfe9e2b8dccf7cb78a45c10c4e59eca157a9eda2aee73f3fb9bc5d646a315c47
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a3f0c79ff021a43700c04f984ab1f40bc47145f0104107d54bd4c1ab1989b868
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 57719275A04313DFDB29DF29C988B6EB7E4BB44258F044929EA59DF240E730E854CB92
                                                                                                                                                                                                                      Function 015CE284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fc481bd4c3ad847ef393f849363d3352260b0c10ddea536a780e48f40d172f6f
                                                                                                                                                                                                                      • Instruction ID: bd799331de9b62a0bc526b83589ed09ed91e66794dc877677520e231f9199130
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fc481bd4c3ad847ef393f849363d3352260b0c10ddea536a780e48f40d172f6f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 36816F71900609AFDB25CFA8C881AEEBBFAFF88714F10442DE556AB250D730BC05CB60
                                                                                                                                                                                                                      Function 015AC640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: be054406ea26d30714be694f340c1f01108f411f5d4ef41e0bb9462dfc626574
                                                                                                                                                                                                                      • Instruction ID: 3902a18e55884a585c1f1d776e2c341b2e56e28841043500019419fc54c684de
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: be054406ea26d30714be694f340c1f01108f411f5d4ef41e0bb9462dfc626574
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AD71AC7590466ADBCB25CF58D8907BEBBB5FF48710F54455EEA42AF390E7309800CBA0
                                                                                                                                                                                                                      Function 01628D6B Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f5934d91ffafdbf644e9dbb6fb409fbd42e1c2e49ac2ba616dfb0b636caa65f2
                                                                                                                                                                                                                      • Instruction ID: 594b57f9145173c6a2eb6a9ba778ff8612e55b7cca3c09766e9f4c16bb5276cb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f5934d91ffafdbf644e9dbb6fb409fbd42e1c2e49ac2ba616dfb0b636caa65f2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CF71AE709046669FCB15CF59CC40ABABBF9EF95304F048099E994DB342E335EA45CBA0
                                                                                                                                                                                                                      Function 015A260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6520d66d1e502fb63f1b1331d8625322b8451e24c54e763e5b9376b0e4f75158
                                                                                                                                                                                                                      • Instruction ID: 5cf2add3a351b7ef2c9882148657276f5ed72f26978c1f315d62aaf2758a7c97
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6520d66d1e502fb63f1b1331d8625322b8451e24c54e763e5b9376b0e4f75158
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0871AC356446429FD312DF2CC481B6EBBE5FF88310F4485AAE8998F352EB34D946CB91
                                                                                                                                                                                                                      Function 0161035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                                                                      • Instruction ID: 994230561d0bdc61ee508da366580cbf0a2593b2b261258b05267b84ee35dcb9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E3715F71A0061AEFDB10DFA9C984EDEBBB9FF88704F144569E505EB250DB34EA41CB50
                                                                                                                                                                                                                      Function 016262A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 05eb5c077ee49f15f869fb2ac5dd881870f8ac78bf9d0a26c574ef0fc4f14a1c
                                                                                                                                                                                                                      • Instruction ID: 4b17f2815647a83835ae111b0509bfc63029153139f7c36e0ba182a27de0be3e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 05eb5c077ee49f15f869fb2ac5dd881870f8ac78bf9d0a26c574ef0fc4f14a1c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24710432240B12AFE732CF18CC44F5ABBA6FF80714F148518EA968B2A0D770E945CF50
                                                                                                                                                                                                                      Function 01598AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cac3a2a2b7bbc72608dea7692e7210bcf0e307f9578913ca2d84c5161f141819
                                                                                                                                                                                                                      • Instruction ID: 05b15358d765704b5c9b82f711a1d56fd327b25fb7cb88cb1e777fa9c1e1d16a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cac3a2a2b7bbc72608dea7692e7210bcf0e307f9578913ca2d84c5161f141819
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F0817EB2A043169FDB24CF9CD884B6E7BB2BB89314F19522DDA00AF285C774DD41CB91
                                                                                                                                                                                                                      Function 015BEDD3 Relevance: .2, Instructions: 166COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6ed16b959edefdfb236d4dc9888eb738c67e02113336eeafa012d5b51c10c058
                                                                                                                                                                                                                      • Instruction ID: fd56a6d73fe578acf2cf2c350df68df287b53f9a22d2196054893d9278ebfe38
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ed16b959edefdfb236d4dc9888eb738c67e02113336eeafa012d5b51c10c058
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4651BE716007429FDB31DF59C8C5AAEB7E9FB84309F54492EE2028FA01D774E844CB91
                                                                                                                                                                                                                      Function 015BCDF0 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                                                                                                                                                      • Instruction ID: acc12ae45f3b93f1ecd45605bddce6363a3cdfd00fe8f83bddb3a005816b0a8e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CB516075E0064ADFCB15CF9CC9C17EEBBF1FB88210F1A8569EA15AF210D6349A41CB54
                                                                                                                                                                                                                      Function 015CE443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: e9eac073f052f112e2345eef6a231ee3a74ea5e4cba7f59fe675410860ec67c2
                                                                                                                                                                                                                      • Instruction ID: 8489e331530b539fe31faea3f8c7b32cfb97b0121994c35e6853b11f924de3a2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e9eac073f052f112e2345eef6a231ee3a74ea5e4cba7f59fe675410860ec67c2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 52518A71640A06EFCB22EFA9CD90E6AB7FAFF54744F40086DE5458B261D730E940CB50
                                                                                                                                                                                                                      Function 01634180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3046d95dbee8bf34ed73a1dd13128374111d165c7b37641b840b45d1ec643cf0
                                                                                                                                                                                                                      • Instruction ID: cb2594d6a4f198d9dc9fdd0a0b7244f2f65669265c94097d6d6ab2db1df3888e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3046d95dbee8bf34ed73a1dd13128374111d165c7b37641b840b45d1ec643cf0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A75134716083429FE754DF2AC881A6BBBE5BFC8208F444A2DF589C7350EB31D905CB96
                                                                                                                                                                                                                      Function 015B45B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                                                                      • Instruction ID: fb74f9d717c8394142bbc1ca9311fc99bc2323091e3b3ccb8c08b1765ecb87ec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B2517171E0021AABDF25DF98C480BEEBBB5BF49754F044069EA02AF241E774DD45CBA1
                                                                                                                                                                                                                      Function 0161E9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                                                                      • Instruction ID: 58ebc16b6ab002ce701c8a0d9c21950d2962a7b3bf60c140a1dbdea5345bbb82
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 75519371D0020AAFEF22DB94CD84BAEBB75BF40324F194669DD1267294D772DE418BA0
                                                                                                                                                                                                                      Function 01658B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e759f67711c740c914d0ebf696952b1f061adc4503914da3a10f1b65131104ad
                                                                                                                                                                                                                      • Instruction ID: 0c9ab1c7bf73f3b6f9a6581f282ec64d8745ce7d457e12db165f13e001ed30bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e759f67711c740c914d0ebf696952b1f061adc4503914da3a10f1b65131104ad
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C141D5717016129BDBA9DB2ECC94B7BBB9FEF90220F088219ED5587B81DB34D801C791
                                                                                                                                                                                                                      Function 0161CBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3ae284829b2faa11f86d4b0ba7051a6807d4cdb1f0567a5adc0a6795d7ff4cf9
                                                                                                                                                                                                                      • Instruction ID: 6e3430c2707d4903f22fdaf27f21eb8bb778ac424a4c597e65e3420fa2d82af0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ae284829b2faa11f86d4b0ba7051a6807d4cdb1f0567a5adc0a6795d7ff4cf9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA51CFB2D40216EFCB20DFA9CC90AAEBBB9FF88318B594519D505A7308D770ED41CB91
                                                                                                                                                                                                                      Function 015CA430 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e90b32db1fd02cd428fcf1f0a2efad224194c731861ecb4356ce6bacf5d8a5c8
                                                                                                                                                                                                                      • Instruction ID: 0565ac5cca1e0866c780f7b20c54ec1ddf67c3e444f633ae7386e76d9b1b0be6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e90b32db1fd02cd428fcf1f0a2efad224194c731861ecb4356ce6bacf5d8a5c8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF412771650216AFDB3AEFA8DCD1B3F7BA4FB94B08F00512CE9029F241E77198208B50
                                                                                                                                                                                                                      Function 0165A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                                                                      • Instruction ID: 1a193c25de2dd464e426fcd7bc7ac6255325654029dbc9391d6c4f40eb88c5ca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2641A2716007169FDB65CFA8CD84A6AB7A9FF84214F05862EED528B740EB30ED15C7D0
                                                                                                                                                                                                                      Function 015C01F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 96b598a73bc7fa7f2df1366a313893c83593d3b7e8d5e8627af78f2ee4e4b3c0
                                                                                                                                                                                                                      • Instruction ID: 2c940082d8468f2f7b8beb955d044835a4d0be7c8e961434a925c685b587b3e8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 96b598a73bc7fa7f2df1366a313893c83593d3b7e8d5e8627af78f2ee4e4b3c0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 27418C3A90021ADFDB15DFD8C440AEEB7B5BF98A10F14815EF915EB280D7359D41CBA4
                                                                                                                                                                                                                      Function 015BEBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7890c25bef7f5e9821932b9ef68a7ed862a86054d9a1b253aa0ff8b7b3bf5ff4
                                                                                                                                                                                                                      • Instruction ID: 7b39367b5e23eeaf1c20faf21765a7303f2d415bab5a25f33b7493635db0ba75
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7890c25bef7f5e9821932b9ef68a7ed862a86054d9a1b253aa0ff8b7b3bf5ff4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8541E4722043029FD721DF28C886AAFB7E5FF88214F18492EE657CB651EB70E844CB51
                                                                                                                                                                                                                      Function 015D2750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                                                                      • Instruction ID: 628b60dd38f38b0b505697f629be063f1885d16f92cb390192d0d6773de0ad7d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B516C75A01215CFCB1ACF98C880AAEF7B2FF84750F1581A9D915E7391D770AE42CB90
                                                                                                                                                                                                                      Function 01596154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 60393afba14e049b12507103a45d156843150894717b28434ec12c8c6b971a73
                                                                                                                                                                                                                      • Instruction ID: 3a9ae2ed893acd4f48c78bffe37d2d7280fa387b190e071a274bfdf9ad7cd18a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60393afba14e049b12507103a45d156843150894717b28434ec12c8c6b971a73
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F51E2B09402179FDF259B28CC00BADBBB1FF51314F0482A9E529AF2C2E7349985CF41
                                                                                                                                                                                                                      Function 01590BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 065f4ea83e493cbd7a352b70e54527e42f6933eadb44f63f2935546a5d6331d8
                                                                                                                                                                                                                      • Instruction ID: be6759b927ca8d84360199517c01d9a904e6ac02911e547b5526eb17e9e19a71
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 065f4ea83e493cbd7a352b70e54527e42f6933eadb44f63f2935546a5d6331d8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F0419171E502699BCF21DF68C945BEEB7B8FF44740F4104A9E908AF281D6349E80CB92
                                                                                                                                                                                                                      Function 01590D59 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c1d9e6a94f78fe2698797307ea0f8c4d2676ae1201ed83ba8f4d778d57798edd
                                                                                                                                                                                                                      • Instruction ID: 6e1e46b2cf084a6e00e8f3dbc412c8c0e0fb300d54086dda52c0294441d60ac4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c1d9e6a94f78fe2698797307ea0f8c4d2676ae1201ed83ba8f4d778d57798edd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A941B271A00315AFEF319F28CC80BAEB7EABB55614F04089AF9459F281DB70ED40CB52
                                                                                                                                                                                                                      Function 0165866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                                      • Instruction ID: 8305dfadeb35edb66cb17332fee82faddb3e27398b48492b07160a8488b2a2b3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B9419275B00216EBEB55DF9ACC84ABFBBBEAF88610F144069ED04A7741DB70DD0187A0
                                                                                                                                                                                                                      Function 01590887 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0956f708fdaa2789859586bde1f93c02472487af20c459bea703a33a7a88d9d9
                                                                                                                                                                                                                      • Instruction ID: c6fe07b591c91e7404d29eb6b6e8a036e7fa8e69d0edbefb1a6d6c15f9d73df5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0956f708fdaa2789859586bde1f93c02472487af20c459bea703a33a7a88d9d9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 874193716007029FDB25CF28C480A2AB7F9FF49314B144E6DE5578FA91E730E455CB91
                                                                                                                                                                                                                      Function 015BA470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b3c60f618da854fd0a15354616aea0aca8a9f3e64ff72aaa9ef0e4676f2a2717
                                                                                                                                                                                                                      • Instruction ID: 47ddee41c3efb3c4f97e118837b5bbf147a36cb7740a2d3b7e7e03c9c57eef7c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b3c60f618da854fd0a15354616aea0aca8a9f3e64ff72aaa9ef0e4676f2a2717
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9141A932A40206DFDF25DF6CD995BEE7BB0FB98364F040669D511AF291DB349A00CBA0
                                                                                                                                                                                                                      Function 01598BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 49850f81fc5788294eeab1c3aca20d2b8035ebc158e1ce919e0f3001c716c1a4
                                                                                                                                                                                                                      • Instruction ID: 8ae084aeba7c75738b72042438a40856f8b7a23beaf46fef44f137a54638c6db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 49850f81fc5788294eeab1c3aca20d2b8035ebc158e1ce919e0f3001c716c1a4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1041DC72A0020BDBDB249F5CCC80B6EBBB5FBD6604F14822ED9019F255DB75D842CB92
                                                                                                                                                                                                                      Function 01588918 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1d5384ba3a35cf239ed29770a8441ad3ae7cae8734af15c7dcbdd40d6fc77b50
                                                                                                                                                                                                                      • Instruction ID: bf8817853371ed31a2ef738938fbaa6873e2f2b4a6a3c1e7b5c02d95cb3bfbb4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d5384ba3a35cf239ed29770a8441ad3ae7cae8734af15c7dcbdd40d6fc77b50
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EA413F319187169ED312EF65C880A6FB6E9FF84B54F40092AF984DB150E731DE458BA3
                                                                                                                                                                                                                      Function 0158A020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                                                                      • Instruction ID: 0e9c0452081a80805aa432730dab2f8c18e5c1a638061d9712a5a2516fe2aa2e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 45416E31E00212DBEB15EE5884847BEB7F1FB90752F15806BEA60AF241D6329D41C791
                                                                                                                                                                                                                      Function 015909AD Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 416f7197c79eaf56adc66a6f13d9407264e5a000e3344d329527d1b3cf26d072
                                                                                                                                                                                                                      • Instruction ID: 35feeee73ccf909afd49dc68d79ee9981ba9cfcf05319c6ba1b974f359495a20
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 416f7197c79eaf56adc66a6f13d9407264e5a000e3344d329527d1b3cf26d072
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 84416D71A40601EFDB21CF18C840B2ABBF9FF54314F648A6AE549CF291E775E941CB91
                                                                                                                                                                                                                      Function 015C0710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                                                                      • Instruction ID: 628f4724648fa90801fed71e3e8f734c5d6c77cdb5af23388a039701c86970c6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AB410B75A00605EFDB24CF98C990AAABBF4FF18B00B10496DE556DB691D330EA44CF50
                                                                                                                                                                                                                      Function 0159262C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6d5b78d441e01a2be4faf7806b293697191b80c5483547aa263c69406269a583
                                                                                                                                                                                                                      • Instruction ID: 7eeb0d9b0821ad85880af56758298f457df61f59e0b4bb80475bb3a9dee628e0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d5b78d441e01a2be4faf7806b293697191b80c5483547aa263c69406269a583
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5141B3B0901701EFCB25EF28D940B6DB7F5FF85314F148699C50AAF6A1DB30A941CB92
                                                                                                                                                                                                                      Function 015CC8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6af99f67b4715387e04434fbab926f59304562c41cdc6261149bc154829c44ea
                                                                                                                                                                                                                      • Instruction ID: daa7a6a6a2d14ca48aba102a41b65c8b95a0216df6a1d8150370eb8de28bc961
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6af99f67b4715387e04434fbab926f59304562c41cdc6261149bc154829c44ea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 623199B1A01346DFDB12CFA8C840799BBF4FB48B14F2085AED109EB291D3729902CF90
                                                                                                                                                                                                                      Function 016107C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7ab1d6784a73862638d72ecb872ab0a92d31fc4012a4fd0611a2bda6c08ba438
                                                                                                                                                                                                                      • Instruction ID: 25d5462f20f27d59547add1a54cbb5c4a6bf85a6a9d2ebf8b0366d6c9c7085b0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7ab1d6784a73862638d72ecb872ab0a92d31fc4012a4fd0611a2bda6c08ba438
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A4417C72508301AFD760DF29C845B9BBBE8FF88654F004A2EF998DB251D7709945CB92
                                                                                                                                                                                                                      Function 016105A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c406b0e7e41d936d4778cec3c4bbc860297e966136e0cc070ea29fdfa500d700
                                                                                                                                                                                                                      • Instruction ID: 9d60a4706705bedbc87fdded81d73ecb7450b4e36a4e6139185fb973b2b4ed8b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c406b0e7e41d936d4778cec3c4bbc860297e966136e0cc070ea29fdfa500d700
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3541CE726047529FC720DF6CDC40A6AB7E9BFC8700F184A2DF9949B694E730E944C7A6
                                                                                                                                                                                                                      Function 01594859 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 135a5c925493e02d2fbab9fe1deaeff5430f9ad216b24217c77fd5bd8c901c9f
                                                                                                                                                                                                                      • Instruction ID: 9024f4cf6a57b676d749a1c4610afbb83d0e60c06d3c87aae8483372a339c8d8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 135a5c925493e02d2fbab9fe1deaeff5430f9ad216b24217c77fd5bd8c901c9f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FE41B0306003029BDB25DF28DA94B2EBBEAFF80354F14452DEA458F291DB30DC52CB92
                                                                                                                                                                                                                      Function 015A02E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                                                                      • Instruction ID: 9e6ab09bb6f76491dca945d1fc6463e241447437b338234968dd061f534165b1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B31D331A54245ABDB118B68CC40BAFBBE9BF54350F0445A6F455DF392D6749884CBA0
                                                                                                                                                                                                                      Function 01594260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 96fba42434c57b599ab243d9d9ad6b8dd9a3fc8c70aa2b50c04e7cf7c879ef64
                                                                                                                                                                                                                      • Instruction ID: 9305338738b328e3343cea0040150bc9eb4d82f0e46e56e24a7e09d0daf9bed0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 96fba42434c57b599ab243d9d9ad6b8dd9a3fc8c70aa2b50c04e7cf7c879ef64
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D41A275200B45DFDB22CF28C981B9A7BEABF45314F04481DE6598F291D774E841CBA1
                                                                                                                                                                                                                      Function 01630DF0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                                                                                                                                                      • Instruction ID: c176d4ce47c8237a269b7ac85c3a255fb0f056f92f6fd83b6d3d96fed479b81e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F31B072605346AFD726DA24CC41E6BBBA8EFD0660F04496DF9518B250E770EC09CBA2
                                                                                                                                                                                                                      Function 0160EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 36131bd5766ae502713355705deaca2375a188c7accf7f51837a9eb6605a69f1
                                                                                                                                                                                                                      • Instruction ID: 83dcee49ed9426befb8a71999556353c514772d5ac427ea1502f7c552ab1311e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 36131bd5766ae502713355705deaca2375a188c7accf7f51837a9eb6605a69f1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8531EA71241A92DBF32B579CCE48B16BBD8FB40784F1D08A4EB458B7D1DB69D841C270
                                                                                                                                                                                                                      Function 016561C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ccbb2650be16b56bb5b75d9e99cfb0e5c4e39943c0a6aa5b1de19c66804f9773
                                                                                                                                                                                                                      • Instruction ID: 419bc9855d4670d45dba471bb060f7ab3f3a9a5f80f9fb7ba75986456df422fb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ccbb2650be16b56bb5b75d9e99cfb0e5c4e39943c0a6aa5b1de19c66804f9773
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A531A175A0025AEBDB15DF98CC40FAEB7B5FB44B80F858169E900EB254D770ED41CBA4
                                                                                                                                                                                                                      Function 0163483A Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0f75bb0275caec53d7f356e5476f36516aca5c2711879d5955fff8c74132605d
                                                                                                                                                                                                                      • Instruction ID: 60ac3a45ae126afa241d3b1c8d0625e1feebf95f9ae5aa669de5136e5763717d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0f75bb0275caec53d7f356e5476f36516aca5c2711879d5955fff8c74132605d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 68313076A4012DABCF21DF58DC84BDEBBBAABD8350F1401E5A508A7250DB34DE918F90
                                                                                                                                                                                                                      Function 015BEB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fcbe5284c0dffe1f9e68617a914b9728e46d88669c3456c5c8449cd1eeabb255
                                                                                                                                                                                                                      • Instruction ID: 6f3fd55c8917c349c1a2385c35ad20a8d698fe941e9db171141f9abb16062f03
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fcbe5284c0dffe1f9e68617a914b9728e46d88669c3456c5c8449cd1eeabb255
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C431C972E00215AFDB31DFA9CC81AEEBBF9FF44750F054466E515DB250D6709E008BA0
                                                                                                                                                                                                                      Function 016560B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: efb381f8c262c7ec4c31595136c8a7f5d262e9aef5d44e0e5fb040de821c9239
                                                                                                                                                                                                                      • Instruction ID: 0ed8d8c656f10431c76010a1adf9c5997cad602f54bd229dc1ef175ba2043574
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: efb381f8c262c7ec4c31595136c8a7f5d262e9aef5d44e0e5fb040de821c9239
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2131C071A40606AFDB22AFADCC50B7EB7BABF84755F404169E906DB352DA70DC01CB90
                                                                                                                                                                                                                      Function 015907AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c716de0ffd11ac6b246ff4ea0ff66152378b2eb19f8e74b812309f3a59c3bbc5
                                                                                                                                                                                                                      • Instruction ID: ee5132bc7dd2192b0878f469394649bfb3f947f1842d6634685465aa19dcc5e2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c716de0ffd11ac6b246ff4ea0ff66152378b2eb19f8e74b812309f3a59c3bbc5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 59319372B04612DBCB12DE24C89096BBBE9FFD4650F054969FD59AF290DA30DC1187E2
                                                                                                                                                                                                                      Function 01598550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 82d9b2c960364ab4244fd2055d9acaa2bc57747c0a1e0050dc8d3720a811256c
                                                                                                                                                                                                                      • Instruction ID: af415e29defa61a62dcfa92e45d46fa67d3a56923cbcc74660278cb8de10581a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 82d9b2c960364ab4244fd2055d9acaa2bc57747c0a1e0050dc8d3720a811256c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE3181B26053019FE720CF19C840B1BBBE9FB98700F05496DEA849B791D770E848CB92
                                                                                                                                                                                                                      Function 015CA6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                                                                      • Instruction ID: fabc4e77b77589bbb3955aa63cf91d37c269d50430105476ee2a9e0ae352542f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC3128B2B00B05AFD765CFADCE40B57BBF8BB48A50F04092DA59AC7650F730E9008B60
                                                                                                                                                                                                                      Function 0163EBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a749469d350c49db5137aefa095754efb7a92d986243e7547c21a713910be63d
                                                                                                                                                                                                                      • Instruction ID: e3b41fbae8fd990d5df375d05923d88b6e6d30ae35ec41b7eaf314ed9fcf32db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a749469d350c49db5137aefa095754efb7a92d986243e7547c21a713910be63d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7331BA71A453029FC711EF19C94095EBBF1FFC9614F444AAEE498AB311E332D946CBA2
                                                                                                                                                                                                                      Function 015B438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 044ad5b1a0bb5b6a3409d33c9bcb9396646afbed8cac5d7a9aa870148998fc03
                                                                                                                                                                                                                      • Instruction ID: e8d985714a8942c922c8246b987f7541a331f7068884c439e204edc4bd9ad084
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 044ad5b1a0bb5b6a3409d33c9bcb9396646afbed8cac5d7a9aa870148998fc03
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2231C271B00206DFD720DFA8C9C0AAEBBFABB84304F008529D246DB655D734E941CBA0
                                                                                                                                                                                                                      Function 0158CB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                                                                      • Instruction ID: 70cfd37bdfcabfa8a573d477fd7fee16a44a9ce7245c822f990a49c7d53baa47
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B21F232E4065BAADB14ABB9C840BEFBBF5BF54740F0584369A15FF240E270C90087A0
                                                                                                                                                                                                                      Function 0158C156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3ab973030ae61fae93221a0e66ba99335b7732e33128477711f5c867aac80dc3
                                                                                                                                                                                                                      • Instruction ID: 019b7044cf6f597bb313b184c5bd822e45d7ad90d58f1c890e16f88be260d47f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ab973030ae61fae93221a0e66ba99335b7732e33128477711f5c867aac80dc3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A3149B19402519BDB35AF58CC45B6D7BF4FF90304F4481A9D9859F382EA749981CB90
                                                                                                                                                                                                                      Function 0164C3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                                                                      • Instruction ID: de9f490d128f5786fb6e4ebb5d244d9013a767ea527e7b445266f34cc5ea3445
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8F21D836602653ABCB25AB958D00ABEBBB5EF90610F40841EFB958A791F734D950C760
                                                                                                                                                                                                                      Function 0158E420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 354afac749a2bbf6f3e03869e56b636bb4f44528a6a0debd250dafc91a6c3722
                                                                                                                                                                                                                      • Instruction ID: fe3a8bf4a3efd84b5eaffddbec6fc85d6e73d3d38830d6794b31254efbaaedea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 354afac749a2bbf6f3e03869e56b636bb4f44528a6a0debd250dafc91a6c3722
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6631D831A4012D9BDB31EB18CC42FEE77B9FB55740F0105A1E649BF1A0D6749E808FA0
                                                                                                                                                                                                                      Function 015C4588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                                                                      • Instruction ID: 66ab33c9670edfada6e926aa1718c6cbef5dfb5c4339c27f3bf465f0bfcddaec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE217135A00649EFCB15CFA8C990E8EBBB5FF48B14F108069EE159F245D671EA458B90
                                                                                                                                                                                                                      Function 015C44B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: bf4306732580cb600bca0ffed2973145c2a9b416f06f930ea5e457b843483b2c
                                                                                                                                                                                                                      • Instruction ID: 13c57b55f67d29f0a53093da5c1b65e5c44caa1c67666599f7d4cf582b7fa368
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf4306732580cb600bca0ffed2973145c2a9b416f06f930ea5e457b843483b2c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 47219C726047469FCB22CE58C890F6BB7E4FB98B60F01492DF9559F641D730E9008BA2
                                                                                                                                                                                                                      Function 0158E388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                                                                      • Instruction ID: 87c50d7f6a57eb73072e724c25bf787449f2e21865c87c76f29d221717bd108a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8E318931600605EFE721DBA8C885F6AB7F9FF85354F1049A9E556DB290E730EE01CB50
                                                                                                                                                                                                                      Function 0160E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ec92ee4d45843b2f76b3669bb9937ca70ca8f0e94d9d583d3ecd238965073151
                                                                                                                                                                                                                      • Instruction ID: 5a6b835ab163ebab239fd1cc7e3fafa05edea6e321e7cbe34745ceca31b8f2cf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec92ee4d45843b2f76b3669bb9937ca70ca8f0e94d9d583d3ecd238965073151
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B31B175A20225DFCB19CF1CDC849AEB7B5FF84304B154959F8059B391EB32E941CB90
                                                                                                                                                                                                                      Function 01598D59 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                                                                                                                                                      • Instruction ID: 5e8473c1b22b99182b6eb1abe60f95c20215494faff8f45e6db700b1487b3c23
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 282136B2601B46DBEB26976CC818B297BF4BF41794F0D04A8DF028F6D2E3A8DC40C251
                                                                                                                                                                                                                      Function 016106F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 532ea10c2041305e152eaa4ec4a075fc586509167159ec92dbd7ec7168c59030
                                                                                                                                                                                                                      • Instruction ID: 2adaf83f405273681ce465e72cee9511e8100c845d1716994c442b882f2901d0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 532ea10c2041305e152eaa4ec4a075fc586509167159ec92dbd7ec7168c59030
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 10219F7190062AEBCF20DF59CC81ABEB7F8FF48740B544069F941AB254D778AD52CBA0
                                                                                                                                                                                                                      Function 0161019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 24115eb9b3646ed883283e14aa062764bc229fc0d017dd35135c7bddd950c7f7
                                                                                                                                                                                                                      • Instruction ID: d7898c2948ecda0f022a93478653c16009bdb533968798bff0a03873dd6775a2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 24115eb9b3646ed883283e14aa062764bc229fc0d017dd35135c7bddd950c7f7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B721AB71600606AFDB15DBACCC40E6AB7A8FF98740F184069F904DB790E738ED40CBA8
                                                                                                                                                                                                                      Function 01610283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 61765cd93ec7c7de0957193f72756b97637fcf33c520530feae5f8987caf2c56
                                                                                                                                                                                                                      • Instruction ID: 7f7490ab3871d4e96a414b02490c872cfa2e7fe13e0f9646b239648c33bd0cec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 61765cd93ec7c7de0957193f72756b97637fcf33c520530feae5f8987caf2c56
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C21CF729042469BDB11EF59CC44B9BBBDCBF90244F0C8456B980CB265D730C985C6A2
                                                                                                                                                                                                                      Function 015B2835 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ece723b84e773474e9b553a4366304decff0d2afac8c7319a6bee781f51f314c
                                                                                                                                                                                                                      • Instruction ID: 62c692fd7fe2b5dd38381a9d7c6a7f9424f3619884be9736f88de0f1028cf029
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ece723b84e773474e9b553a4366304decff0d2afac8c7319a6bee781f51f314c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34212931644782DBE722576C8C44B6C7BD4BF41774F280368FA25DF6E2D768D8018262
                                                                                                                                                                                                                      Function 015CA30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9f7ed5e824366f0ba35174a8e95daf81f5a06480f940dbb3697c0570ce006708
                                                                                                                                                                                                                      • Instruction ID: a49831a8d1085c2829e30a288e6280697b7746f30d199bb15d81aa747c9c2aa4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f7ed5e824366f0ba35174a8e95daf81f5a06480f940dbb3697c0570ce006708
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0721AC75250602AFC72ADF69CC00B56B7F5BF48B08F24846CA509CF761E371E842CB94
                                                                                                                                                                                                                      Function 01610946 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9d8daf805e5a4965dbea2630a209feb804871d0b69b51d144fe61d69c38832fc
                                                                                                                                                                                                                      • Instruction ID: 8a711b82835785a07e3fa9326d7bd2cd4f2876440fb25744396bf4365aa41021
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9d8daf805e5a4965dbea2630a209feb804871d0b69b51d144fe61d69c38832fc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B421E9B1E00359ABCB20DFAAD8919AEFBF9FF98610F10022EE505A7354D7709941CB54
                                                                                                                                                                                                                      Function 016280A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                                                                      • Instruction ID: 17cd3c0c25b4add35bb98c69e32fd9838bef8cc3ed440d2fddf62102093729ae
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA216772A0061AAFDB129F98CC44BAEBBFAFF98315F204859F940A7291D734D9518F50
                                                                                                                                                                                                                      Function 015C0124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                                                                      • Instruction ID: a52da0de00a237fec570c8a361c0cfcf9d772a5a4def2b58937aab115106e541
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62119D76601606EFE7229E99DC41FAABBB8FBD0B64F10442DF6049F190E671ED44CB60
                                                                                                                                                                                                                      Function 01598770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 79f7db2cd7048835c916828634870bfb69cf9e05f3d1e55f1aa11cce05d653d7
                                                                                                                                                                                                                      • Instruction ID: 26653dea074a35aa9936b0afbb7312ab3fb00b0440567347c36d02360926026e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 79f7db2cd7048835c916828634870bfb69cf9e05f3d1e55f1aa11cce05d653d7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E611C1717006199BDF15CF4DC5C0A6EBBE9BF8B710B1980ADEE089F205D6B2D901C792
                                                                                                                                                                                                                      Function 015CAAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                                                                      • Instruction ID: 611ba9e9afeb7b27bd05996c38e9c3f50ce21f5b26e28704dde88c60233a865f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A7217972640A49DFD7268F89C540A6AFBF6FB94F14F14887DE54A9B610E730EC01CB90
                                                                                                                                                                                                                      Function 015980E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3189717abd5d2ece819a3952968cf4d75001b7b6541e76b60ee997c67279e21b
                                                                                                                                                                                                                      • Instruction ID: ae4264008e0431efb1f924fe278661b604875b370e048980796cec4da2cabad1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3189717abd5d2ece819a3952968cf4d75001b7b6541e76b60ee997c67279e21b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8421AE75A0020ADFCB14CFA8C580AAEBBF5FB89318F20416DD105AB310CB71AD06DBD1
                                                                                                                                                                                                                      Function 015C674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 785c49ed786e517d2cf8ec11dde2897a27df277b7f437ee395b020f4b2444b08
                                                                                                                                                                                                                      • Instruction ID: f80a017e9de4d7c4308ff7ae6d2315ac88f4c1c3f8d84d6e625833a162df3091
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 785c49ed786e517d2cf8ec11dde2897a27df277b7f437ee395b020f4b2444b08
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB218E75510A01EFD7308FA9C840F66B7E8FF84650F40882DE69ACB751EB30A950CB60
                                                                                                                                                                                                                      Function 01626870 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d2e316ae9d4a45993a61422827938d7770c825e34b1d9b3f3793cea5d9f40c56
                                                                                                                                                                                                                      • Instruction ID: 8d66b9970faac24d37c7256b393766a9dd7ff18d69e59d9648246936c7defeda
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d2e316ae9d4a45993a61422827938d7770c825e34b1d9b3f3793cea5d9f40c56
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EA11C132740926EFC722CB69CD40F9AB7A8FF95750F014025FA01DB250DA74E801CBA0
                                                                                                                                                                                                                      Function 015BE8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ad9dc9a84a890576bdbc42aabc977f8fc3f9fae4cdba6f36ba6db05e9403e9b4
                                                                                                                                                                                                                      • Instruction ID: 47927ba192d16f35245fa5a44b7bda112ea4005cde227cf2a620c6de6065e0e7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad9dc9a84a890576bdbc42aabc977f8fc3f9fae4cdba6f36ba6db05e9403e9b4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E4110C333041159FCB1ADB29CC91ABF7297FFD5374B29452DE522CF291DA309801C290
                                                                                                                                                                                                                      Function 015C66B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cf96612c7d02de0bfc37c423ef4503b4d961e97cd44c0e97370d561ed905f209
                                                                                                                                                                                                                      • Instruction ID: 56f2e79b9dea4b6c6141773c6629ede5738ce081dd60d4eb9ad9b870a5c9031a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cf96612c7d02de0bfc37c423ef4503b4d961e97cd44c0e97370d561ed905f209
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C119E76A01206EFCB25DF99DA80A5EBBF9BF94A50F45847DD9099F311E630DE00CB90
                                                                                                                                                                                                                      Function 0165A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                                                                      • Instruction ID: 6ccaec65de8db60055f3342a3422f3f4e981c19623aefff217b71223d1eadc99
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E11B236A10915AFDB19CB98CC05A9DBBB6EF84210F058269EC5597340E671AD51CBD0
                                                                                                                                                                                                                      Function 01590AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                                                                      • Instruction ID: d388630ee27b3b424baf9eb6d9eab769d256ec8d615fdd8c66678083530c345b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 682108B5A40B059FD3A0CF29D440B56BBF4FB48720F10492EE98ACBB40E371E814CB90
                                                                                                                                                                                                                      Function 0161E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                                                                      • Instruction ID: f68f80fbf10fde36823054c983b466dcea64c2ecbe22a08d17bbc8bf7fff6f13
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9111A331600601EFEB729F48CC40B5A7BA6EF45754F0A842CEE0A9B254DB32DC41DB90
                                                                                                                                                                                                                      Function 015B27ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7c5ff0c1771f745fe4a125b65f194f984a709091905706666a83f326a014076c
                                                                                                                                                                                                                      • Instruction ID: 84bf8afc16bb8a098deaf156069a365df024df84d0b9fd31e53b3e85ad9f430d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7c5ff0c1771f745fe4a125b65f194f984a709091905706666a83f326a014076c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9601C431645786ABE316A66EDC84F6B6ADCFF80694F050469FA058F291E954EC00C2B2
                                                                                                                                                                                                                      Function 01594690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6e6a53e21b5c00f5d5f8f4f28dd0037219c923c50cca5663943308952101bb2d
                                                                                                                                                                                                                      • Instruction ID: 244175d609a725ce51eeee8f87385354a03e2a5066193adf768850df777b82ff
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e6a53e21b5c00f5d5f8f4f28dd0037219c923c50cca5663943308952101bb2d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C119E36250649AFDF258F59DA80B6E7BA8FB8A664F004519F9058F250C770EC42CFA1
                                                                                                                                                                                                                      Function 015C6620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 373863abb50ede1054f3fd6493a8c1b5bf2c7132964e881f9903f1c06a1e273c
                                                                                                                                                                                                                      • Instruction ID: e5342f020b8916f677024e7edf49d9ad9c0b1bcd77342ef213340259a09b058b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 373863abb50ede1054f3fd6493a8c1b5bf2c7132964e881f9903f1c06a1e273c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9411C276A00616AFDB22EF99CD80B5EFBB8FF84B40F500059DA05AF300D730AE418B90
                                                                                                                                                                                                                      Function 015BEA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6a60a82e954c77d07fc353beb2c52d7106a1c59dd77f2dda213524be9cd5534e
                                                                                                                                                                                                                      • Instruction ID: 1f10018a3fcfc6d17f53d6faa32e7a724fcc541956f479d344c85e58013d7863
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6a60a82e954c77d07fc353beb2c52d7106a1c59dd77f2dda213524be9cd5534e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95019275500106AFC725DF19D889FAABBF9FBC5314F24826AE1068F261C7B09C42CB94
                                                                                                                                                                                                                      Function 015BE53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                                                                      • Instruction ID: 3d5dd3244ffd33f6b76805e7f1141ab5cf7d056e5c3869d5876b5018f258b690
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0A11E5722416C2DBE723976CC984BAD7BD4FB41788F1D04A6DF419FA92F728C842C250
                                                                                                                                                                                                                      Function 0161E75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                                                                      • Instruction ID: 576ec7f1dfc6cd12722fbbcdc8d108c0846a4246f2c1fbc9c855165b51ff611d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8A019636700106AFF7265F58CD00F6A7AA9FB85750F098428EE059B264E772DD41C790
                                                                                                                                                                                                                      Function 0158A250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                                                                      • Instruction ID: edbbc46b62c62522605a151ab69509e8ab13b220221d75151d4d5b8c7b8bef4b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF0126314047229BDB319F19D840A3A7BE4FF557607008A6EFD96AF281D331D400CB60
                                                                                                                                                                                                                      Function 0160E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 12780642ebc67bda82d6bd058f63524ff24ef2c809b2a7a6c2dcc31f8e588ab6
                                                                                                                                                                                                                      • Instruction ID: 11a565f70b963dbd7b1b5ae44a3b0c653d0f7cfbf62d9948fd8c1d635804f1cc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 12780642ebc67bda82d6bd058f63524ff24ef2c809b2a7a6c2dcc31f8e588ab6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 05118B32241642EFDB26EF19DD90F56BBB8FF94B84F200465E9059F6A1C335ED01CA90
                                                                                                                                                                                                                      Function 01596259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f4703d4c27f205f13c42fa8a6b9400a99adffb13358110fccba107571c3c52ff
                                                                                                                                                                                                                      • Instruction ID: 3e0ce2132b0b441314d494eaa515cce3b17e2f48f1a5f11f8c53a54873b2afaa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f4703d4c27f205f13c42fa8a6b9400a99adffb13358110fccba107571c3c52ff
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79115A7054122AABEF75AB68CD52FEDB2B4BF44714F5041D4A318AA0E0DA709E85CF85
                                                                                                                                                                                                                      Function 01586DF6 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a9d64098234a617bc5a458b2aefdbfc4f8833fa74b5a628ca81dc788ece57423
                                                                                                                                                                                                                      • Instruction ID: e40f6859473ce989417cea7c320c07dbfb02d2054b6333ce7a68a93b74438b06
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a9d64098234a617bc5a458b2aefdbfc4f8833fa74b5a628ca81dc788ece57423
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7101D232B10302AFCF256A699C5982BB7E5FB84329B00062CF6468B651DF21EC10C7D1
                                                                                                                                                                                                                      Function 01616050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 933c5c6f95d69a978c9778a93ae3739f3431b99b805229a3b32719e799e40ee8
                                                                                                                                                                                                                      • Instruction ID: 126f12304e87d594da8e2985f474b2421af066d83c607673305fd8bab4a8e102
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 933c5c6f95d69a978c9778a93ae3739f3431b99b805229a3b32719e799e40ee8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4E11177790001AABCB21DB94CC80DEFBB7CFF48254F044166E906A7211EA34AA55CBA0
                                                                                                                                                                                                                      Function 0159208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                                                                      • Instruction ID: 72025ccc691f7d8ea476506068ff067f2b97143a58f9cc6de9fa1d3f5a44a081
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86014733601211ABEF159E6DD884B9AB7ABBFC4700F5544AAED058F246EE71CC81C391
                                                                                                                                                                                                                      Function 01626500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e64915023f175b700a07699a30e656f19f753d754559f137089220fc16a83155
                                                                                                                                                                                                                      • Instruction ID: efd0229e3c0eb6e0e217b7c598d5b3f2962bf651f18c81ee8a863f61fcffd69d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e64915023f175b700a07699a30e656f19f753d754559f137089220fc16a83155
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4711A1326445569FD711CF68D800BA6BBB9FB9A314F08C159ED499F315D732EC81CBA0
                                                                                                                                                                                                                      Function 0161C810 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8eaca2e02ae56c203fcf63ecdd7990fea84a90546734991a575933dac6f61921
                                                                                                                                                                                                                      • Instruction ID: ab8f59d0478a38fb732fcadaf482233f096107b8021dcf6fcf9867b6b18e834c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8eaca2e02ae56c203fcf63ecdd7990fea84a90546734991a575933dac6f61921
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F111CB1A0020ADBCB00DF99D585A9EBBF4FF58250F14406AA905E7351D674EA018BA4
                                                                                                                                                                                                                      Function 0158C020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                                                                      • Instruction ID: 8c878b7419840832ebbbfcd784b3c763320543ef879aba43c4fa0da816c5fecc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A201B532500706DFEB26AAAAC844AABB7F9FFC5654F04481EA9469F540DE70E402CB60
                                                                                                                                                                                                                      Function 015D20F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 89988964bc0b45ce7560111d819aac2cf4460dcf729f11cb26d55cdec001ec8b
                                                                                                                                                                                                                      • Instruction ID: 37816373825f99689badd9dd585113fdf17ff4cdf775bbac5802cca35bc6565b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89988964bc0b45ce7560111d819aac2cf4460dcf729f11cb26d55cdec001ec8b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 28112D75A0120DEBDB15DFA8CC51AAE7BB5FB84694F008099E9059B290D635AE11CB90
                                                                                                                                                                                                                      Function 015CE5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1223bf0b7514b4a468b24a5616c7e7b391f4e628b251cb49fee31c620ae50988
                                                                                                                                                                                                                      • Instruction ID: 6d28502f2679fd6c62591fc5a90d87c1d8f1ab26f535678d45e01fa96907892e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1223bf0b7514b4a468b24a5616c7e7b391f4e628b251cb49fee31c620ae50988
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D0184B1691902BFD251BB69CD81E5BBBECFF99654B400629B1098BA51DB24EC01C6A0
                                                                                                                                                                                                                      Function 016269C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: cd914b862b439e2a0b53a6f83de2a9463265b24347ee47da38210cbcf3ef00a3
                                                                                                                                                                                                                      • Instruction ID: 8819c2c18be742037dd3091dbd20382b5cd7009c05aba803b3a043032ab04d6b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cd914b862b439e2a0b53a6f83de2a9463265b24347ee47da38210cbcf3ef00a3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2901FC32214616DBC320DF6ECC4896BFBA8FF94660F114229ED598B2D0E7309911CBD1
                                                                                                                                                                                                                      Function 0161C460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 32ba0b1ac61344191282afbcfac9a7e4e08a9e9f379a5a10e50ce00d984bbe0a
                                                                                                                                                                                                                      • Instruction ID: 004db199c1632c4f2e2d3b323b245ccf595c1580f9f9f45a60fe6867c682e182
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 32ba0b1ac61344191282afbcfac9a7e4e08a9e9f379a5a10e50ce00d984bbe0a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB115B75A41209EBDB15EFA8C844EAE7BB6FB98250F044059F90197354DA34E911CB90
                                                                                                                                                                                                                      Function 0161C97C Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 30f2743ece997c2b23df6c2c605a2d397f2cfa02723b85d0c22e42bb98031d0b
                                                                                                                                                                                                                      • Instruction ID: 7609dc94053ea57eef1e0da4320d136c7d2bccbf7bb5fb141e75a628469b28aa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 30f2743ece997c2b23df6c2c605a2d397f2cfa02723b85d0c22e42bb98031d0b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 941179B16083099FC710DF69C84195FBBE4FF98310F00891AB998DB3A0E630E900CB92
                                                                                                                                                                                                                      Function 0161CA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 081bacc8bd33e49062efdee9b0cae9062743802a6481317aa141183ccbeed5c9
                                                                                                                                                                                                                      • Instruction ID: 3252bc532f6a6d86ade8d1d3e23a14b6a829ba1b833499f0f6aceaa886fc9b1d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 081bacc8bd33e49062efdee9b0cae9062743802a6481317aa141183ccbeed5c9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 551179B26083099FC310DF6DC84194FBBE4FF99350F00851AB958DB3A4E630E900CB92
                                                                                                                                                                                                                      Function 01664A80 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                                                                                                                      • Instruction ID: 6c9f5be33d57c693e3ba68d71a367c699ebfa2e4885fefd750d467bceedb73bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4601D432200602EFD7219AADDC44F9ABBEEFBC6210F044819EA428B754DEB0F841C794
                                                                                                                                                                                                                      Function 015AE016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                                                                      • Instruction ID: a3a7aa74c07b9d7af6f05b577064662136f123f6360b54473625999e5cbb022a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B9017832680681DFE326861DC948F2EBBE8FB88794F4904A1FA05CF6A1D678DC40C661
                                                                                                                                                                                                                      Function 0158826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 50154aa9374597af48b230b89c7c624d5e918e43f43f83987a66e9a259c60465
                                                                                                                                                                                                                      • Instruction ID: 6cc030d491305e450f8b05f5bb72dabfaa3385787f30fbe58d59d3b01a98685d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 50154aa9374597af48b230b89c7c624d5e918e43f43f83987a66e9a259c60465
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6D018431700A09DBDB14FB69DC149AE77E9FF81610B594169DA02BF644EE20DD01C794
                                                                                                                                                                                                                      Function 01592582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c5627a8807f7a18b5f5d39fe5a6447a6c7c13f77749067a136d8055bf3c80c33
                                                                                                                                                                                                                      • Instruction ID: 44492d2ceaf5e4fe2fd048af4741ce7187c71b1960e4ba66756c8eb646af87c0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5627a8807f7a18b5f5d39fe5a6447a6c7c13f77749067a136d8055bf3c80c33
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 83F0A932A41711BBC731DB568D50F5BBEA9FFC4B90F154429A6059F640DA30DD01C6A1
                                                                                                                                                                                                                      Function 015BC073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                                                                      • Instruction ID: ec5709b8e8d06f22214f30a710943d5235413cc96c4b33a7a736e5ecfbc925c8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9DF062B2600615ABD334CF4DDC40E5BFBEAEBD5A90F058169A655DB220EA31ED05CB90
                                                                                                                                                                                                                      Function 0158C310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                                                                      • Instruction ID: 47b808f967b7de3f08240f374ba88e28acbe6445d1a4b40ea57335f3e7e289f4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 49F0FC73244623ABD73236598840BAFB9D5BFE1A64F1A0035E205BF240CD648D0396F0
                                                                                                                                                                                                                      Function 015CCA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                                                                      • Instruction ID: b1254094f2ea8d9aebf6e383ecf6f748c5bba85fa3f2e2584f973bd6e9122f30
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D01A231601685AFD327DA9DCD09B5EBB98FF51B54F094469FA488F7A1D7A4C800C251
                                                                                                                                                                                                                      Function 016661E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ec80a384fa4aaab53625206126903fb741f8e2e4df626ace2bd5daf22848a6f1
                                                                                                                                                                                                                      • Instruction ID: 966dd5d5ac826c09ba6a55dba2f2a1430372830a4ba0bf20db5be4207e41a811
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec80a384fa4aaab53625206126903fb741f8e2e4df626ace2bd5daf22848a6f1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E014F71A0024AEBDB14DFA9E845AEEBBF8BF58314F14405AE501BB390D774EA01CB95
                                                                                                                                                                                                                      Function 016163C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                                                                      • Instruction ID: 3fcf55d92ac92e28293a5e81589c798b1b60c854bc7449f00967924c6c8e5a91
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0F0F97220001EBFEF019F95DD80DAF7B7EFB99298B144125FA1196160D671DD21ABA0
                                                                                                                                                                                                                      Function 0161A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: eea92a17f872b10cce13c26eb580bb3f63d335f1f7dafb6c3244fc3f10383c36
                                                                                                                                                                                                                      • Instruction ID: 14c5b314d34cdd41e0af1a91eaece8d08b773bd5f13592661311feee7b91f8db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eea92a17f872b10cce13c26eb580bb3f63d335f1f7dafb6c3244fc3f10383c36
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 17018936105149EBCF129E94DC40EDE7F66FB4C754F098205FE1966224C736D971EB81
                                                                                                                                                                                                                      Function 0158C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 17d3c91de0edac1a8945bebf03e70381161d84a9a480369144bab9a83bc1f1ec
                                                                                                                                                                                                                      • Instruction ID: a5a6e15789e29eddcf7423360b0723a4b3ec04de62c4fbf73df7568bac72b3e7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 17d3c91de0edac1a8945bebf03e70381161d84a9a480369144bab9a83bc1f1ec
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8F024716142425BF714B6299C81BA332DAF7E4754F25846AEB099F2C1E970DC0183F4
                                                                                                                                                                                                                      Function 015C656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5c71df7c926db4e626c18f06ce154917c9cd0163fc5111427db1a1d604929e96
                                                                                                                                                                                                                      • Instruction ID: bd4793aba174694b5354ea48b8f623765206a07d90f5be9a2959a0905b55ea6a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5c71df7c926db4e626c18f06ce154917c9cd0163fc5111427db1a1d604929e96
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3701A470240682DFF3379FACCD48B2A77E4BB54F44F980598BA018F7DADB68D5018614
                                                                                                                                                                                                                      Function 0163437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                                                                      • Instruction ID: 9e8200905a20c2269d5b47346d29558f5b820e4f1fbe1e005126a7d14914af1b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DDF0E231B81A234BFB36AA2F8C20B2EEA96AFD0E40B05052C9611CB780DF20DC018780
                                                                                                                                                                                                                      Function 0161E872 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                                                                      • Instruction ID: d2cd73ffa624666e99a351d539025162e6d293e6f9bc20b6787d1d6fddddb455
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03F0B432B505129FD3628A4DDC80F16B769BFD5A60F5E0024AE049B368C361EC0287D0
                                                                                                                                                                                                                      Function 0161C89D Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e954c2fee88d874f737b0f9248207e6c7e3f663219c71da3f1d91080497b845f
                                                                                                                                                                                                                      • Instruction ID: 51a09b4c9239cc714d3622adffffa39f085d2ef23a9b601be5dad0e5204d0857
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e954c2fee88d874f737b0f9248207e6c7e3f663219c71da3f1d91080497b845f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0CF0AF706153059FC360EF69C845A1EBBE4FF98710F44465ABC98DB394E634E901C796
                                                                                                                                                                                                                      Function 015C0854 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                                                                      • Instruction ID: 4c3e4f3ae58da589689acd0e66e9a0ce77d5d964f2e63558a31c37f2eebed15e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6EF09072610205EEE714DF65CC01F56B6E9FF98740F14C468A545DB1A4FAB0DD01C654
                                                                                                                                                                                                                      Function 01618D20 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: ae7b8a48e0687c574ad77719f47bf6de375ab46b27c1ff1a88a37a57f11371a4
                                                                                                                                                                                                                      • Instruction ID: 9fa862f2d76f53934eee17a913aa769931317c3fd7549b23c85f6314d1d3483d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ae7b8a48e0687c574ad77719f47bf6de375ab46b27c1ff1a88a37a57f11371a4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6DF0B4339103446BD7317A1CAC54B5BBB6DFBD4724F8D5615F94A2B3258B306C90D780
                                                                                                                                                                                                                      Function 0161C912 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6c39258056f666818ad8ca7914265b1b3d9fdb20952ff3d48ce7b7d603b6b956
                                                                                                                                                                                                                      • Instruction ID: 90b3ef44723d378e3999032160787dba4385fcc98d45d2a54f5932923df70687
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6c39258056f666818ad8ca7914265b1b3d9fdb20952ff3d48ce7b7d603b6b956
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F6F06270A0124AEFCB14EFA9C915A5EB7B4FF58300F008066B955EB395DA78EA01CB94
                                                                                                                                                                                                                      Function 015947FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 595138f6757c0a88f0012d15e70dfb387187931e272df8b5e609c0a02175ce52
                                                                                                                                                                                                                      • Instruction ID: d09f47e7374f148e87aca9b6f50b7eed0f9673f8156f8289e63557c4e9fd70ca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 595138f6757c0a88f0012d15e70dfb387187931e272df8b5e609c0a02175ce52
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E6F0B4319166D19FEF32CB5CC654B297BD8FB00630F084D6AD5498F502D724DC82C652
                                                                                                                                                                                                                      Function 01650115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7643b1d28d5f24657e633881b2a2c7b4598c12dc3a321119a55b38679a8f06d1
                                                                                                                                                                                                                      • Instruction ID: 88cf8269244027ba295e7cc29f4b521745a5d63e39bb536dec4c9e5fcb2b58cd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7643b1d28d5f24657e633881b2a2c7b4598c12dc3a321119a55b38679a8f06d1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EDF027264156C12BCF726B6CEC503D53B56A752214F0A2189DDA05B305C674C493C3AA
                                                                                                                                                                                                                      Function 015CC5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 823675eb2c2e550174d758043ca7b5b285f0e76b37ab28020a5468ea3dfb912a
                                                                                                                                                                                                                      • Instruction ID: 49d4c569dc1c99abe9edc6e3c43eb6d76c82b8f227f68ad005c634f0bb3a0ae4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 823675eb2c2e550174d758043ca7b5b285f0e76b37ab28020a5468ea3dfb912a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2F0E2725116919FE7229FACC388B297BD8BB40FA0F0CA82DD40ECF512C660E8C0CA50
                                                                                                                                                                                                                      Function 015D2619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                                                                      • Instruction ID: 83f55c39bcd2839006edffd4a93fb3aba2f55ebad65de306170161d1e2635aa4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8E092323406022BE7219E5D8C80F47776EAFD2B10F044079B6045E251CAE29C0983A4
                                                                                                                                                                                                                      Function 01626030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                                                                      • Instruction ID: c590b10926a6b011ebb9bfdb50a7500c063f263b843bb46ca0d4d00809975ab4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7F0A0721006149FE3218F09DE40F52B7F8EB05364F41C025EA088B260D37DEC40DFA4
                                                                                                                                                                                                                      Function 01590710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                                                                      • Instruction ID: fb9945a591913aa498260b12640a9f8965796502984097be0877a5b027982a8a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8F0E53A204351DBDF1ACF19D440A9D7BE8FB41360F040854F8468F341E731E981CB95
                                                                                                                                                                                                                      Function 015C49D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                                                                      • Instruction ID: f0614b1097e27d13e36f26bc61e31a781d5d7f917d832d6ad7245e29ea48bdbd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0CE09232254146AFD3211E9D8C10F7A77A7BBD0BA0F15042DE2028F150DBB0DC40C798
                                                                                                                                                                                                                      Function 0163678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                                                                      • Instruction ID: e871e06ed3859508619dd7ff3c6efa906bab7ac56823ec646dd6b30e0c4c4617
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F7E04F72A40115BFDB22A799CD05FAABEBCEBD4EA0F554095B602EB190E570DE00D6A0
                                                                                                                                                                                                                      Function 0040E461 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_400000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 56c62ff1eda09e1bdf6d44cc4d7fdc403d6bb65d3d6684610e16e318f6b2dfdd
                                                                                                                                                                                                                      • Instruction ID: df5b5b946206354c393f7c52451566b8d0a2d0d04488327835fce837b35bb8f7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 56c62ff1eda09e1bdf6d44cc4d7fdc403d6bb65d3d6684610e16e318f6b2dfdd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6FD0C25AB8A05195861A9A1D6CA08A1E72984C3670B1023E8DC98DB781D311C02182B9
                                                                                                                                                                                                                      Function 015925E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: c4ec20401a4f00edc4d3c40b801d16ef5348a1ab8573d48b789ab28d9976608a
                                                                                                                                                                                                                      • Instruction ID: 12a40c380665d03385fa02b3dc6404475c3d535ef0a8ab4f8f48619b4813c8ea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c4ec20401a4f00edc4d3c40b801d16ef5348a1ab8573d48b789ab28d9976608a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8E09232100595ABC721BB29DD11F8A77AAFFA1364F014515F1555B190CB70AC50C7C4
                                                                                                                                                                                                                      Function 01614000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                                                                      • Instruction ID: 785ff1543a9825f16b56d8e3d075e8457bc4151e1c9c736dd5ec257bed8e9027
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 72E0C2343003058FE715CF1AC450B627BB6BFD5B11F28C068A9488F309EB32E882CB40
                                                                                                                                                                                                                      Function 015CCA38 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: d19e0ab3ae671aaf5ea80f7a4631cd3ce87947984cc8f4cb5ecafa0dfb52c916
                                                                                                                                                                                                                      • Instruction ID: 3db74a9231e3309dfc046a1b770cf4f25b46f39fee9252b8834c1436e067d07a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d19e0ab3ae671aaf5ea80f7a4631cd3ce87947984cc8f4cb5ecafa0dfb52c916
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3DD02B324D14217ECB39E96CBC08FEB3A99BB80B20F018864F10CDA010D594CC8182C4
                                                                                                                                                                                                                      Function 0158823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                                                                      • Instruction ID: 8f0e305fdd231c88e6ad6e7105bd7ddcd115faadcf7d48a7da8b6cca20e79abe
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0CE0C232440A22EFEB323F19DC00F5576E1FF94B11F504C2AE0C22E0A487B0AC81CB44
                                                                                                                                                                                                                      Function 01592050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6e94784816c1a202c8c2d23c53a1babc29b9342c1da4805863c07933b7b7ccb5
                                                                                                                                                                                                                      • Instruction ID: ed4b34b8b093bc9a7e06ea2da905689c451e38a437875cdce30f169f5b1c8658
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e94784816c1a202c8c2d23c53a1babc29b9342c1da4805863c07933b7b7ccb5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ADE08C321004A16BC721FA5DED10E4A73AAFFE5260F000221F1508B690CA60AC41C795
                                                                                                                                                                                                                      Function 015C8A90 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                                                                                                      • Instruction ID: 1ec6650b0915392fa18e0428117154c189b68e74955eb0ca8da5256637350019
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CEE08633111A148BC728DE5CD911B7677E4FF45B30F09463EA6134B790C574E944C794
                                                                                                                                                                                                                      Function 015E6AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                                                                      • Instruction ID: e0604574364ca9917b521185268307991753b75e504d69b5134239c376aa6a4b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FCD05E36911A50EFC3329F1BEE04C17FBF9FFD4A50709062EA54587920C670A806CBA0
                                                                                                                                                                                                                      Function 015CE59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                                                                      • Instruction ID: 6c36053f0a5f77db29a7c20267df18aca3f93866cf8f2535144126d27d114eae
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 47D0A932664620AFD772AA1CFC00FC373EABB88724F060459B008CB1A1C360AC81CA84
                                                                                                                                                                                                                      Function 0160E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                                                                      • Instruction ID: 6010ea78b23dd19496801a6139fa296e7fd34204ad16b3d688f7b4d4e78d8c9f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02E0EC35950685AFDF57DF99DA40F5EBBB5FB94B40F150458A1085F760C725AD00CB40
                                                                                                                                                                                                                      Function 0158A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                                                                      • Instruction ID: 825880ed5741cdc4aac78e71acdeb43f70be195a92d5c6644828a193599619db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0BD02232222031E7CB286655AC10F6BB906BFC0A94F0A002E340AAB800C1048C43C2E0
                                                                                                                                                                                                                      Function 015CA830 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                                                                      • Instruction ID: 2fa26d15f785120ec18f3ab6f7575dc7b4176845ad096b03dae116b254a8e9e6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 58D012371E054DBBCB119F66DC01F957BA9FBA4BA0F444020B5048B5A0C63AE950D584
                                                                                                                                                                                                                      Function 015CCA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: fb29844d38a1584afe132ef9516276f3ed454406c3d1a3f94fd294ac1a50fa7a
                                                                                                                                                                                                                      • Instruction ID: 947b91c54d802c05fd1419757f259393ed52c2cf8551192e1c6dba43fa456fb8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb29844d38a1584afe132ef9516276f3ed454406c3d1a3f94fd294ac1a50fa7a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3CD05E309520029FDF2BCF48CD2493E76B4FF10A40B44106CE60056520D364D8118600
                                                                                                                                                                                                                      Function 015CC700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                                                                      • Instruction ID: b3023dcff4b48f0aa33b8c09e1b73c57248b87c66b3b405e5f460c6f5009ffbe
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BAC01232190644AFC7119A95DD01F0577A9FB98B40F400021F2044B570C531E810D644
                                                                                                                                                                                                                      Function 015B0310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                                                      • Instruction ID: cfa90935653e1f96ba99cddd05dabf2e0da868f8dab5a743f52e084dd684df16
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 84D01236100249EFCB01DF45C890D9B773AFBD8710F108019FD190B6508A31ED62DA50
                                                                                                                                                                                                                      Function 01590750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                                                                      • Instruction ID: 2ddb52f0178847bdcd60acb368396f35d5691dc1ebf857a686966725a0dc4cd8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FDC04C75751942CFCF15DB59D294F4977E4F744744F151890E805CF721E624E811CA10
                                                                                                                                                                                                                      Function 015D4340 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 94347bc8fa33b41ba6e12a712de4f1edb88678d86355f8b58366af632f709f33
                                                                                                                                                                                                                      • Instruction ID: 24b509d7ad01b6683c582648da84ac9f27d8fbfb27457060e96d1accfcf4fcfc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94347bc8fa33b41ba6e12a712de4f1edb88678d86355f8b58366af632f709f33
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C900231A05800129144725848885464085B7E0311B59C411E0424954CCA548A565361
                                                                                                                                                                                                                      Function 015D4650 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b68dde35d7436ee83983c0b8acd97f72298c6904471b4fd8ccf30c3fb9a42357
                                                                                                                                                                                                                      • Instruction ID: a57971b232265391d6aa44d401f57e352d1f022e7fea5d57f8fd1389c21f21c5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b68dde35d7436ee83983c0b8acd97f72298c6904471b4fd8ccf30c3fb9a42357
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB900261A01500424144725848084066085B7E1311399C515A0554960CC65889559369
                                                                                                                                                                                                                      Function 015D2BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 0470f8d4fa1d84de2d2b54bfd885c4cdc05bb9920ce2b70264fe23acf4c1bea8
                                                                                                                                                                                                                      • Instruction ID: 614686f1dc46d96de1cfb479a1cfecf753be10570fcb73329dfa6eba08d8e168
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0470f8d4fa1d84de2d2b54bfd885c4cdc05bb9920ce2b70264fe23acf4c1bea8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9090023160544842D14472584408A460095A7D0315F59C411A0064A94DD6658E55B761
                                                                                                                                                                                                                      Function 015D2B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7d67d2923039c1429b3438ba8ab924b9c468a03824f0aff6730d8bdd826f0b59
                                                                                                                                                                                                                      • Instruction ID: 985e6b7801b1648b36a9335ceebd4114b4055a57615b1fe45ba16efd288526b3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7d67d2923039c1429b3438ba8ab924b9c468a03824f0aff6730d8bdd826f0b59
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A490023160140802D108725848086860085A7D0311F59C411A6024A55ED6A589917231
                                                                                                                                                                                                                      Function 015D2BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 9f54186e4c01932bbba624496a5e5bc06748cbd6d4ed92341a4b1c4f2c0983aa
                                                                                                                                                                                                                      • Instruction ID: de08745e8afd6f0ed004d202abe6a3cade857f7759b5053ceda64f2c4fbe7644
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f54186e4c01932bbba624496a5e5bc06748cbd6d4ed92341a4b1c4f2c0983aa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8A900231A0540802D154725844187460085A7D0311F59C411A0024A54DC7958B5577A1
                                                                                                                                                                                                                      Function 015D2AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 434a5a2c959f85dd26834b610c6aa9d3c59813da45d3a3c50779a38f36218b36
                                                                                                                                                                                                                      • Instruction ID: 695b0a4eb4e195edb3a8557a0ef80084c185365022a8f947cdb642611775ead6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 434a5a2c959f85dd26834b610c6aa9d3c59813da45d3a3c50779a38f36218b36
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A900225621400020149B658060850B04C5B7D6361399C415F1416990CC66189655321
                                                                                                                                                                                                                      Function 015D2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 43047d0d4f9e01f66d3fc93609c2715b70bbdc59f2d6f57896d0813f6a807ae8
                                                                                                                                                                                                                      • Instruction ID: e61d4a2461a75731a8ca2a9f4d1c9c8da54f98b493b12402bc1e6fa48235ca5f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 43047d0d4f9e01f66d3fc93609c2715b70bbdc59f2d6f57896d0813f6a807ae8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6D9002A1601540924504B3588408B0A4585A7E0211B59C416E1054960CC56589519235
                                                                                                                                                                                                                      Function 015D2D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f329883de64499919a32ea63c74c6126f202d58e3fc387b6c6db59be4e64c2a3
                                                                                                                                                                                                                      • Instruction ID: 12431e8b94bd8ee59619cd30bf8ce36b6987e2e6759fe86401264aeff35423e5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f329883de64499919a32ea63c74c6126f202d58e3fc387b6c6db59be4e64c2a3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1990022160544442D1047658540CA060085A7D0215F59D411A1064995DC6758951A231
                                                                                                                                                                                                                      Function 015D2DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1ae1bd3410b23b27f8be13dd2b9c6e5738374594fcc5712a68d5de6975d1defc
                                                                                                                                                                                                                      • Instruction ID: f5214c6576ba2565a4aaf5d28f0990439c2372ff005309227b7f46ad4e5417aa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ae1bd3410b23b27f8be13dd2b9c6e5738374594fcc5712a68d5de6975d1defc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2690023164140402D145725844086060089B7D0251F99C412A0424954EC6958B56AB61
                                                                                                                                                                                                                      Function 015D2C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5e1f6116b36abdc7e5174ed774286f3754712b9e23ab8a21fde27f0139c3864f
                                                                                                                                                                                                                      • Instruction ID: 16eec403e16018cbba7ea28841ca2de9f6e3bdaedf473b1d9bd9ee983e4fde28
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5e1f6116b36abdc7e5174ed774286f3754712b9e23ab8a21fde27f0139c3864f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DD90023160140842D10472584408B460085A7E0311F59C416A0124A54DC655C9517621
                                                                                                                                                                                                                      Function 015D2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 497449447f1b858d238dd84eb72a10fc251b053733db6a584f6cd36bda29311e
                                                                                                                                                                                                                      • Instruction ID: 8fe71cd8fe0a065c45b963084c401a1d10288fc83c630cc054f1fe2d6492462a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 497449447f1b858d238dd84eb72a10fc251b053733db6a584f6cd36bda29311e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D0900221A0540402D1447258541C7060095A7D0211F59D411A0024954DC6998B5567A1
                                                                                                                                                                                                                      Function 015D2CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 4a9a8cb150fc455e5f894f0adb2d9f49aef5e084490edd72fe3a5ee048bcf4f3
                                                                                                                                                                                                                      • Instruction ID: c1d1f14a7b2012ce0fd7be752339d52f52a6f0c9c9ab9bcc13f7fdf6bee4e8a2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a9a8cb150fc455e5f894f0adb2d9f49aef5e084490edd72fe3a5ee048bcf4f3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5490023160140403D1047258550C7070085A7D0211F59D811A0424958DD69689516221
                                                                                                                                                                                                                      Function 015D2F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 71f7658ccec156499fb6234dfb2de5d133a5373e8e04ce4a8a9b4f3da5dfcd37
                                                                                                                                                                                                                      • Instruction ID: 6eab1a12bc8ad2e2615b66330cbf82171f4f02066b81e53d96482d2f65fa4c62
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71f7658ccec156499fb6234dfb2de5d133a5373e8e04ce4a8a9b4f3da5dfcd37
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7590026161140042D1087258440870600C5A7E1211F59C412A2154954CC5698D615225
                                                                                                                                                                                                                      Function 015D2FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: f47f12c0a4de7f85139d83ecd6ae03e63291891d145018124d963b225689d5c3
                                                                                                                                                                                                                      • Instruction ID: abfaecb31d27ded898f2dc198357e2c0bf3110baefac1a4995bc3a0ff8df438e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f47f12c0a4de7f85139d83ecd6ae03e63291891d145018124d963b225689d5c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8590023160180402D1047258480C7470085A7D0312F59C411A5164955EC6A5C9916631
                                                                                                                                                                                                                      Function 015D2E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: e7ce4f9cd2493b148f848ae5c2a859a4f4ea65995d3b299214f1401a1f193771
                                                                                                                                                                                                                      • Instruction ID: d0f760d3a659709de027d33b5a77410c8b655e8830763b12b83b3b23d4ce903a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e7ce4f9cd2493b148f848ae5c2a859a4f4ea65995d3b299214f1401a1f193771
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3E90022170140402D106725844186060089E7D1355F99C412E1424955DC6658A53A232
                                                                                                                                                                                                                      Function 015D2EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 92db9b83bbf18ea3f6eddb886597e2cf1c6a334dd21056741dd6a35575811274
                                                                                                                                                                                                                      • Instruction ID: d7adbcba0e9a8fbfc6a87e84133cd27eca80def3a3cc67819cface29b045b9aa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 92db9b83bbf18ea3f6eddb886597e2cf1c6a334dd21056741dd6a35575811274
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5390026160180403D144765848086070085A7D0312F59C411A2064955ECA698D516235
                                                                                                                                                                                                                      Function 015D3010 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 3e1905da10e5895ff83613507b5903f69eda38a0e4087b8c07e58d807fc41fb9
                                                                                                                                                                                                                      • Instruction ID: 4dc3d3c0073ed8cb0c2431772cc76f5ee1ca9d8f7a903f26b578bc639acfc31a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e1905da10e5895ff83613507b5903f69eda38a0e4087b8c07e58d807fc41fb9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A290022160184442D14473584808B0F4185A7E1212F99C419A4156954CC95589555721
                                                                                                                                                                                                                      Function 015D3090 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 649da0f443889af2913a3ac93838719f8fe661468e85d540e43584470d12ebdb
                                                                                                                                                                                                                      • Instruction ID: 69ad77a13115d089e3f6199c3608b5703c1e450972c8e7acdb108fb93276f408
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 649da0f443889af2913a3ac93838719f8fe661468e85d540e43584470d12ebdb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF90022164140802D144725884187070086E7D0611F59C411A0024954DC6568A6567B1
                                                                                                                                                                                                                      Function 015D35C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 00c02998ad449e1fb0cdfaf22ac89aabc67d5067995c22b333551498058e2c6e
                                                                                                                                                                                                                      • Instruction ID: 4adf2cd3ea3bdca79dca36a60b1f974098add921ac85357bd232ca71505b5a38
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 00c02998ad449e1fb0cdfaf22ac89aabc67d5067995c22b333551498058e2c6e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D900231A0550402D104725845187061085A7D0211F69C811A0424968DC7D58A5166A2
                                                                                                                                                                                                                      Function 015D39B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 47d19593e3bc67ab661ff09d50629ce8afebeb6cba7d826b6da7c34762d2974c
                                                                                                                                                                                                                      • Instruction ID: 4faadddc6727fd6f5711aaee08636664f3d859198d176a1d4deb48ea4b159a63
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 47d19593e3bc67ab661ff09d50629ce8afebeb6cba7d826b6da7c34762d2974c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2890022164545102D154725C44086164085B7E0211F59C421A0814994DC59589556321
                                                                                                                                                                                                                      Function 015D3D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a7a943c25c87eeaa4e6abce30d379b29ecd79bcd9010e78749df2cb818aefbe5
                                                                                                                                                                                                                      • Instruction ID: d1d5a9c644c7c2bef3a9778a3c46285d44ac53089c12027f0bba5b6335d82613
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a7a943c25c87eeaa4e6abce30d379b29ecd79bcd9010e78749df2cb818aefbe5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2090023560140402D5147258580864600C6A7D0311F59D811A0424958DC69489A1A221
                                                                                                                                                                                                                      Function 015D3D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 2ab8c271c863c3ffcff9e517406ffd049b7de69e8017a841861c27f431a17be0
                                                                                                                                                                                                                      • Instruction ID: a9ce98f62f8b3cde2e656b803d8bf9b73bf5b96bd5a3f52db84c6eb0ea341389
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2ab8c271c863c3ffcff9e517406ffd049b7de69e8017a841861c27f431a17be0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B90023160240142954473585808A4E4185A7E1312B99D815A0015954CC95489615321
                                                                                                                                                                                                                      Function 015D2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                                                      • Instruction ID: c8a7568f676a18a8ae77a3c6076824ac5f56f67c71ba10dbc3ede338dba9dce1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                                                                                                      Function 015D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                                                                                                      • Opcode ID: 2c34eeb85fa7ab9545ba12a6ee022fead3561d39bcf34be95f473f3146655c99
                                                                                                                                                                                                                      • Instruction ID: df23dc21eeb217cef10665139a51cf27273a1e9efddfd195031fa44906b3d727
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c34eeb85fa7ab9545ba12a6ee022fead3561d39bcf34be95f473f3146655c99
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EC51E8B1A04216BFCB25DB9CCC9097EFBF8BB48241B548169F495DB681D374DE4087E0
                                                                                                                                                                                                                      Function 01642410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                                                                                                      • Opcode ID: ec157f387e55dd412c2b2492e034a8d7be05f2cdb5dceab7d9a99d61591218af
                                                                                                                                                                                                                      • Instruction ID: d8db2cc935c04da8549c0d4b0bacd9880ed0dd0ebb3c32833c86eeddd5fda8ee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec157f387e55dd412c2b2492e034a8d7be05f2cdb5dceab7d9a99d61591218af
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9651F475A00646AFCB24DF9CDCA097EBBF9EF44200B24845EF496D7681E7B4DA4087A0
                                                                                                                                                                                                                      Function 015C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • ExecuteOptions, xrefs: 016046A0
                                                                                                                                                                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016046FC
                                                                                                                                                                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01604725
                                                                                                                                                                                                                      • Execute=1, xrefs: 01604713
                                                                                                                                                                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01604655
                                                                                                                                                                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 01604787
                                                                                                                                                                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01604742
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                                                                      • API String ID: 0-484625025
                                                                                                                                                                                                                      • Opcode ID: e8a01bf11c799548d944be44f634e2dacafefcfe065c37610b6b6ee9e4c05f5a
                                                                                                                                                                                                                      • Instruction ID: 785c176b1b668f34f1b48950a1252c830c4a8a00b4b28a004afc10c9a6e35368
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8a01bf11c799548d944be44f634e2dacafefcfe065c37610b6b6ee9e4c05f5a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9651093160021A7EEF21AFE9EC86BAE77A8FF58700F04009DD605AF591DB709A458F54
                                                                                                                                                                                                                      Function 015DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                                                                                                      • String ID: +$-$0$0
                                                                                                                                                                                                                      • API String ID: 1302938615-699404926
                                                                                                                                                                                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                      • Instruction ID: f176d336896507b81ae247c519764fd48b9e536a4949eb655f99d2d663688700
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4381AD70E0524A9FEF35CE6CC8917BEBBA3BF46360F1A4659D861AF291C6349840CB51
                                                                                                                                                                                                                      Function 015BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016002E7
                                                                                                                                                                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016002BD
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 0160031E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                                                                      • API String ID: 0-2474120054
                                                                                                                                                                                                                      • Opcode ID: e3a8cb5aba3fdb5cdbe9f181d5262b508eb4c63e1f7b27cb8901afda76a70c54
                                                                                                                                                                                                                      • Instruction ID: e71c86800a6dc1d2f3a84f317c27e0af50aec4dd5123f9951130d8db1a310815
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e3a8cb5aba3fdb5cdbe9f181d5262b508eb4c63e1f7b27cb8901afda76a70c54
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02E19C306047429FD72ACF2CCC84B6ABBE0BB88754F144A6EF5A58B2E1D774D945CB42
                                                                                                                                                                                                                      Function 015CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Resource at %p, xrefs: 01607B8E
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 01607BAC
                                                                                                                                                                                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01607B7F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                      • API String ID: 0-871070163
                                                                                                                                                                                                                      • Opcode ID: 269d3590e9dad9dd7094504a2923601b0865f35877f8fb2af09ea4b6117a0754
                                                                                                                                                                                                                      • Instruction ID: daba75950b8e8159b8e9784b2cc5b19c78c1d7965538d5fa5f53cc92bbbe1139
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 269d3590e9dad9dd7094504a2923601b0865f35877f8fb2af09ea4b6117a0754
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D941D0317007039FD725DE69CC41B6BB7E5FB98B10F000A1DE9AA9B780DB71E8058B91
                                                                                                                                                                                                                      Function 015CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0160728C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01607294
                                                                                                                                                                                                                      • RTL: Resource at %p, xrefs: 016072A3
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 016072C1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                      • API String ID: 885266447-605551621
                                                                                                                                                                                                                      • Opcode ID: a036ee0f9178a331028e122098e7a53bb958175802096389ccf107d21cd83027
                                                                                                                                                                                                                      • Instruction ID: cc1bf0877383e9aedd7ed62e53955c8c1088ce8ed99bbb17fec1d48dc4fa8b73
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a036ee0f9178a331028e122098e7a53bb958175802096389ccf107d21cd83027
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34411231604206AFC725CE69CC82F6AB7A6FF94B10F14461CF9959B280DB31F8128BD1
                                                                                                                                                                                                                      Function 01642300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: %%%u$]:%u
                                                                                                                                                                                                                      • API String ID: 48624451-3050659472
                                                                                                                                                                                                                      • Opcode ID: fef0f8433d28696708cc1860b8757b9e73884b7814e6151eaba94fadf4a304a1
                                                                                                                                                                                                                      • Instruction ID: 7aff1f3a2368420c9fd9a85c4d5df41e00ea5e703a450f397541e2745708c1c3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fef0f8433d28696708cc1860b8757b9e73884b7814e6151eaba94fadf4a304a1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2318072A006199FDB21DF2DDC50BEEB7F8FB44610F54059AF949E7240EB30AA548FA0
                                                                                                                                                                                                                      Function 015D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                                                                                                      • String ID: +$-
                                                                                                                                                                                                                      • API String ID: 1302938615-2137968064
                                                                                                                                                                                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                      • Instruction ID: bd109ff267c79021aff9273fbea2723ddd8661a325ea45c090fcd2d617567fbd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D791A171E002179EEB34DF6DC8816BEBBA1FF88328F54455AE965EF2C0E73099418751
                                                                                                                                                                                                                      Function 01599126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $$@
                                                                                                                                                                                                                      • API String ID: 0-1194432280
                                                                                                                                                                                                                      • Opcode ID: 1f7684f49a43a158d48254c8e437b3b19d1e317aa383caf2ecfeb6302d950003
                                                                                                                                                                                                                      • Instruction ID: ef814f6d351ff82fd828096481570fb976f1265b752c47719c6ffab4973dd735
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1f7684f49a43a158d48254c8e437b3b19d1e317aa383caf2ecfeb6302d950003
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE810CB1D0026A9BDB35CB54CC44BEEB7B4BF48714F0041DAAA19BB680D7309E84CFA1
                                                                                                                                                                                                                      Function 0161CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 0161CFBD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_1560000_TEKLIF 2002509.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CallFilterFunc@8
                                                                                                                                                                                                                      • String ID: @$@4Cw@4Cw
                                                                                                                                                                                                                      • API String ID: 4062629308-3101775584
                                                                                                                                                                                                                      • Opcode ID: 9f693a3979ab28c2c105cc924226b20b1d006a7d622b37cf73de82a5013d4a04
                                                                                                                                                                                                                      • Instruction ID: 4423f35764625d56d91ee346183acc0ba05a3916503262eb8ab8f276d8550c53
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f693a3979ab28c2c105cc924226b20b1d006a7d622b37cf73de82a5013d4a04
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9F418D71940216DFDB21AFA9CC40AAEBBB8FF95B40F04412AE915DF358E734C801CBA1

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:1%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                                                                      Total number of Nodes:69
                                                                                                                                                                                                                      Total number of Limit Nodes:7
                                                                                                                                                                                                                      execution_graph 20212 e3942dd 20213 e39431a 20212->20213 20214 e3943fa 20213->20214 20215 e394328 SleepEx 20213->20215 20219 e39ef12 socket NtCreateFile getaddrinfo 20213->20219 20220 e395432 NtCreateFile 20213->20220 20221 e3940f2 socket getaddrinfo 20213->20221 20215->20213 20215->20215 20219->20213 20220->20213 20221->20213 20222 e3a0bac 20223 e3a0bb1 20222->20223 20256 e3a0bb6 20223->20256 20257 e396b72 20223->20257 20225 e3a0c2c 20226 e3a0c85 20225->20226 20227 e3a0c69 20225->20227 20228 e3a0c54 20225->20228 20225->20256 20271 e39eab2 NtProtectVirtualMemory 20226->20271 20231 e3a0c6e 20227->20231 20232 e3a0c80 20227->20232 20267 e39eab2 NtProtectVirtualMemory 20228->20267 20269 e39eab2 NtProtectVirtualMemory 20231->20269 20232->20226 20236 e3a0c97 20232->20236 20233 e3a0c8d 20272 e398102 ObtainUserAgentString NtProtectVirtualMemory 20233->20272 20234 e3a0c5c 20268 e397ee2 ObtainUserAgentString NtProtectVirtualMemory 20234->20268 20238 e3a0cbe 20236->20238 20239 e3a0c9c 20236->20239 20243 e3a0cd9 20238->20243 20244 e3a0cc7 20238->20244 20238->20256 20261 e39eab2 NtProtectVirtualMemory 20239->20261 20241 e3a0c76 20270 e397fc2 ObtainUserAgentString NtProtectVirtualMemory 20241->20270 20243->20256 20275 e39eab2 NtProtectVirtualMemory 20243->20275 20273 e39eab2 NtProtectVirtualMemory 20244->20273 20248 e3a0cac 20262 e397de2 ObtainUserAgentString 20248->20262 20249 e3a0ccf 20274 e3982f2 ObtainUserAgentString NtProtectVirtualMemory 20249->20274 20251 e3a0ce5 20276 e398712 ObtainUserAgentString NtProtectVirtualMemory 20251->20276 20254 e3a0cb4 20263 e394412 20254->20263 20258 e396b93 20257->20258 20259 e396cce 20258->20259 20260 e396cb5 CreateMutexExW 20258->20260 20259->20225 20260->20259 20261->20248 20262->20254 20265 e394440 20263->20265 20264 e394473 20264->20256 20265->20264 20266 e39444d CreateThread 20265->20266 20266->20256 20267->20234 20268->20256 20269->20241 20270->20256 20271->20233 20272->20256 20273->20249 20274->20256 20275->20251 20276->20256 20277 e3a0e12 20281 e39f942 20277->20281 20279 e3a0e45 NtProtectVirtualMemory 20280 e3a0e70 20279->20280 20282 e39f967 20281->20282 20282->20279 20283 e39f232 20285 e39f25c 20283->20285 20286 e39f334 20283->20286 20284 e39f410 NtCreateFile 20284->20286 20285->20284 20285->20286 20287 e39ff82 20288 e39ffb8 20287->20288 20290 e3a0081 20288->20290 20292 e3a0022 20288->20292 20293 e39c5b2 20288->20293 20291 e3a0117 getaddrinfo 20290->20291 20290->20292 20291->20292 20294 e39c60a socket 20293->20294 20295 e39c5ec 20293->20295 20294->20290 20295->20294 20296 e39a8c2 20297 e39a934 20296->20297 20298 e39a9a6 20297->20298 20299 e39a995 ObtainUserAgentString 20297->20299 20299->20298

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 0E39F232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 291 e39f232-e39f256 292 e39f8bd-e39f8cd 291->292 293 e39f25c-e39f260 291->293 293->292 294 e39f266-e39f2a0 293->294 295 e39f2bf 294->295 296 e39f2a2-e39f2a6 294->296 298 e39f2c6 295->298 296->295 297 e39f2a8-e39f2ac 296->297 299 e39f2ae-e39f2b2 297->299 300 e39f2b4-e39f2b8 297->300 301 e39f2cb-e39f2cf 298->301 299->298 300->301 304 e39f2ba-e39f2bd 300->304 302 e39f2f9-e39f30b 301->302 303 e39f2d1-e39f2f7 call e39f942 301->303 308 e39f378 302->308 309 e39f30d-e39f332 302->309 303->302 303->308 304->301 312 e39f37a-e39f3a0 308->312 310 e39f3a1-e39f3a8 309->310 311 e39f334-e39f33b 309->311 313 e39f3aa-e39f3d3 call e39f942 310->313 314 e39f3d5-e39f3dc 310->314 315 e39f33d-e39f360 call e39f942 311->315 316 e39f366-e39f370 311->316 313->308 313->314 318 e39f3de-e39f40a call e39f942 314->318 319 e39f410-e39f458 NtCreateFile call e39f172 314->319 315->316 316->308 321 e39f372-e39f373 316->321 318->308 318->319 327 e39f45d-e39f45f 319->327 321->308 327->308 328 e39f465-e39f46d 327->328 328->308 329 e39f473-e39f476 328->329 330 e39f478-e39f481 329->330 331 e39f486-e39f48d 329->331 330->312 332 e39f48f-e39f4b8 call e39f942 331->332 333 e39f4c2-e39f4ec 331->333 332->308 338 e39f4be-e39f4bf 332->338 339 e39f8ae-e39f8b8 333->339 340 e39f4f2-e39f4f5 333->340 338->333 339->308 341 e39f4fb-e39f4fe 340->341 342 e39f604-e39f611 340->342 343 e39f55e-e39f561 341->343 344 e39f500-e39f507 341->344 342->312 346 e39f567-e39f572 343->346 347 e39f616-e39f619 343->347 348 e39f509-e39f532 call e39f942 344->348 349 e39f538-e39f559 344->349 351 e39f5a3-e39f5a6 346->351 352 e39f574-e39f59d call e39f942 346->352 354 e39f6b8-e39f6bb 347->354 355 e39f61f-e39f626 347->355 348->308 348->349 356 e39f5e9-e39f5fa 349->356 351->308 358 e39f5ac-e39f5b6 351->358 352->308 352->351 359 e39f739-e39f73c 354->359 360 e39f6bd-e39f6c4 354->360 362 e39f628-e39f651 call e39f942 355->362 363 e39f657-e39f66b call e3a0e92 355->363 356->342 358->308 368 e39f5bc-e39f5e6 358->368 364 e39f742-e39f749 359->364 365 e39f7c4-e39f7c7 359->365 369 e39f6f5-e39f734 360->369 370 e39f6c6-e39f6ef call e39f942 360->370 362->308 362->363 363->308 380 e39f671-e39f6b3 363->380 373 e39f74b-e39f774 call e39f942 364->373 374 e39f77a-e39f7bf 364->374 365->308 376 e39f7cd-e39f7d4 365->376 368->356 384 e39f894-e39f8a9 369->384 370->339 370->369 373->339 373->374 374->384 381 e39f7fc-e39f803 376->381 382 e39f7d6-e39f7f6 call e39f942 376->382 380->312 388 e39f82b-e39f835 381->388 389 e39f805-e39f825 call e39f942 381->389 382->381 384->312 388->339 391 e39f837-e39f83e 388->391 389->388 391->339 395 e39f840-e39f886 391->395 395->384
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621775586.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2c0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID: `
                                                                                                                                                                                                                      • API String ID: 823142352-2679148245
                                                                                                                                                                                                                      • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                                                      • Instruction ID: 0264ad8ec21953fdeae581736c9721ce98550c5eba582709ec75bd2d41416005
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34223970B28A099FCB59DF28C4956BAFBE1FB98301F50462EE45ED3250DB30E851DB81
                                                                                                                                                                                                                      Function 0E3A0E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 430 e3a0e12-e3a0e6e call e39f942 NtProtectVirtualMemory 433 e3a0e7d-e3a0e8f 430->433 434 e3a0e70-e3a0e7c 430->434
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtProtectVirtualMemory.NTDLL ref: 0E3A0E67
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621775586.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2c0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2706961497-0
                                                                                                                                                                                                                      • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                                                      • Instruction ID: c780fc5379df2ceb547afb3ebfe1e3da59cca0fd851047da08a40d623b768281
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0A01B530628B484F8B88EF6CD480226B7E4FBDD314F000B3EE59AC3250D770C5414742
                                                                                                                                                                                                                      Function 0E3A0E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 435 e3a0e0a-e3a0e38 436 e3a0e45-e3a0e6e NtProtectVirtualMemory 435->436 437 e3a0e40 call e39f942 435->437 438 e3a0e7d-e3a0e8f 436->438 439 e3a0e70-e3a0e7c 436->439 437->436
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtProtectVirtualMemory.NTDLL ref: 0E3A0E67
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621775586.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2c0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2706961497-0
                                                                                                                                                                                                                      • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                                                      • Instruction ID: 3fd3d8fa1b894e966bddff673781659d40ad3fcd0e6be57aa5bbeb2113fa31a3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0101A734628B884B8B48EB2C94412A6B7E5FBCE314F000B3EE59AC3240DB21D5014782
                                                                                                                                                                                                                      Function 0E39FF82 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 815COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 0 e39ff82-e39ffb6 1 e39ffb8-e39ffbc 0->1 2 e39ffd6-e39ffd9 0->2 1->2 5 e39ffbe-e39ffc2 1->5 3 e3a08fe-e3a090c 2->3 4 e39ffdf-e39ffed 2->4 6 e39fff3-e39fff7 4->6 7 e3a08f6-e3a08f7 4->7 5->2 8 e39ffc4-e39ffc8 5->8 9 e39fff9-e39fffd 6->9 10 e39ffff-e3a0000 6->10 7->3 8->2 11 e39ffca-e39ffce 8->11 9->10 12 e3a000a-e3a0010 9->12 10->12 11->2 13 e39ffd0-e39ffd4 11->13 14 e3a003a-e3a0060 12->14 15 e3a0012-e3a0020 12->15 13->2 13->4 17 e3a0068-e3a007c call e39c5b2 14->17 18 e3a0062-e3a0066 14->18 15->14 16 e3a0022-e3a0026 15->16 16->7 20 e3a002c-e3a0035 16->20 22 e3a0081-e3a00a2 17->22 18->17 21 e3a00a8-e3a00ab 18->21 20->7 23 e3a00b1-e3a00b8 21->23 24 e3a0144-e3a0150 21->24 22->21 25 e3a08ee-e3a08ef 22->25 26 e3a00ba-e3a00dc call e39f942 23->26 27 e3a00e2-e3a00f5 23->27 24->25 28 e3a0156-e3a0165 24->28 25->7 26->27 27->25 30 e3a00fb-e3a0101 27->30 31 e3a017f-e3a018f 28->31 32 e3a0167-e3a0178 call e39c552 28->32 30->25 37 e3a0107-e3a0109 30->37 34 e3a0191-e3a01da call e39c732 31->34 35 e3a01e5-e3a021b 31->35 32->31 34->35 49 e3a01dc-e3a01e1 34->49 40 e3a022d-e3a0231 35->40 41 e3a021d-e3a022b 35->41 37->25 42 e3a010f-e3a0111 37->42 45 e3a0233-e3a0245 40->45 46 e3a0247-e3a024b 40->46 44 e3a027f-e3a0280 41->44 42->25 47 e3a0117-e3a0132 getaddrinfo 42->47 48 e3a0283-e3a02e0 call e3a0d62 call e39d482 call e39ce72 call e3a1002 44->48 45->44 50 e3a024d-e3a025f 46->50 51 e3a0261-e3a0265 46->51 47->24 52 e3a0134-e3a013c 47->52 63 e3a02e2-e3a02e6 48->63 64 e3a02f4-e3a0354 call e3a0d92 48->64 49->35 50->44 54 e3a026d-e3a0279 51->54 55 e3a0267-e3a026b 51->55 52->24 54->44 55->48 55->54 63->64 65 e3a02e8-e3a02ef call e39d042 63->65 69 e3a035a-e3a0396 call e3a0d62 call e3a1262 call e3a1002 64->69 70 e3a048c-e3a04b8 call e3a0d62 call e3a1262 64->70 65->64 85 e3a03bb-e3a03e9 call e3a1262 * 2 69->85 86 e3a0398-e3a03b7 call e3a1262 call e3a1002 69->86 79 e3a04ba-e3a04d5 70->79 80 e3a04d9-e3a0590 call e3a1262 * 3 call e3a1002 * 2 call e39d482 70->80 79->80 111 e3a0595-e3a05b9 call e3a1262 80->111 100 e3a03eb-e3a0410 call e3a1002 call e3a1262 85->100 101 e3a0415-e3a041d 85->101 86->85 100->101 104 e3a041f-e3a0425 101->104 105 e3a0442-e3a0448 101->105 108 e3a0467-e3a0487 call e3a1262 104->108 109 e3a0427-e3a043d 104->109 110 e3a044e-e3a0456 105->110 105->111 108->111 109->111 110->111 116 e3a045c-e3a045d 110->116 121 e3a05bb-e3a05cc call e3a1262 call e3a1002 111->121 122 e3a05d1-e3a06ad call e3a1262 * 7 call e3a1002 call e3a0d62 call e3a1002 call e39ce72 call e39d042 111->122 116->108 133 e3a06af-e3a06b3 121->133 122->133 135 e3a06ff-e3a072d call e39c6b2 133->135 136 e3a06b5-e3a06fa call e39c382 call e39c7b2 133->136 145 e3a072f-e3a0735 135->145 146 e3a075d-e3a0761 135->146 158 e3a08e6-e3a08e7 136->158 145->146 151 e3a0737-e3a074c 145->151 147 e3a090d-e3a0913 146->147 148 e3a0767-e3a076b 146->148 153 e3a0779-e3a0784 147->153 154 e3a0919-e3a0920 147->154 155 e3a08aa-e3a08df call e39c7b2 148->155 156 e3a0771-e3a0773 148->156 151->146 152 e3a074e-e3a0754 151->152 152->146 159 e3a0756 152->159 160 e3a0786-e3a0793 153->160 161 e3a0795-e3a0796 153->161 154->160 155->158 156->153 156->155 158->25 159->146 160->161 164 e3a079c-e3a07a0 160->164 161->164 167 e3a07a2-e3a07af 164->167 168 e3a07b1-e3a07b2 164->168 167->168 170 e3a07b8-e3a07c4 167->170 168->170 173 e3a07c6-e3a07ef call e3a0d92 call e3a0d62 170->173 174 e3a07f4-e3a0861 170->174 173->174 185 e3a08a3-e3a08a4 174->185 186 e3a0863 174->186 185->155 186->185 188 e3a0865-e3a086a 186->188 188->185 190 e3a086c-e3a0872 188->190 190->185 192 e3a0874-e3a08a1 190->192 192->185 192->186
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621775586.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2c0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: getaddrinfo
                                                                                                                                                                                                                      • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                                                                                                      • API String ID: 300660673-1117930895
                                                                                                                                                                                                                      • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                                                      • Instruction ID: dbc2f67084587c598baeb3259e129fe3bad31cb4b483f6099e86dc0e7260a72f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3A528F30618B088FCB69EF68C4947E9BBE1FB54300F544A2EC5AFC7146DE74A985CB85
                                                                                                                                                                                                                      Function 0E39A8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ObtainUserAgentString.URLMON ref: 0E39A9A0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621775586.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2c0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AgentObtainStringUser
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 2681117516-319646191
                                                                                                                                                                                                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction ID: 23e71624f86201727f7687d33862ffd442fce4d42b31587f516494b94048a9bf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1331DD71614A4C8FCF04EFA8C8887EEBBE1FB58205F44062AD54ED7240DF788A45CB89
                                                                                                                                                                                                                      Function 0E39A8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ObtainUserAgentString.URLMON ref: 0E39A9A0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621775586.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2c0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AgentObtainStringUser
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 2681117516-319646191
                                                                                                                                                                                                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction ID: 01660993aef9f9a6431395e98d0d74601f30c416a90c47f8aa047281614472df
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5221D071A10A4D8FCF04EFA8C8857EEBBE5FF58205F44462AD45AD7240DF788A45CB89
                                                                                                                                                                                                                      Function 0E396B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 234 e396b66-e396b68 235 e396b6a-e396b71 234->235 236 e396b93-e396bb8 234->236 237 e396bbb-e396c22 call e39d612 call e39f942 * 2 235->237 240 e396b73-e396b92 235->240 236->237 246 e396c28-e396c2b 237->246 247 e396cdc 237->247 240->236 246->247 248 e396c31-e396cb0 call e3a1da4 call e3a1022 call e3a13e2 call e3a1022 call e3a13e2 246->248 249 e396cde-e396cf6 247->249 261 e396cb5-e396cca CreateMutexExW 248->261 262 e396cce-e396cd3 261->262 262->247 263 e396cd5-e396cda 262->263 263->249
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621775586.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2c0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateMutex
                                                                                                                                                                                                                      • String ID: .dll$el32$kern
                                                                                                                                                                                                                      • API String ID: 1964310414-1222553051
                                                                                                                                                                                                                      • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                                                      • Instruction ID: f7c999456fddbb1bb045c5ac9f1be55ddadc8d7902d617c1fc931285921b95b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48417C70918A088FDF54EFA8C8957AD7BE0FB68300F44467AD84EDB255EF309945CB85
                                                                                                                                                                                                                      Function 0E396B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621775586.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2c0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateMutex
                                                                                                                                                                                                                      • String ID: .dll$el32$kern
                                                                                                                                                                                                                      • API String ID: 1964310414-1222553051
                                                                                                                                                                                                                      • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                                                      • Instruction ID: f84b99d27de98d97241f50a2c5400043b17de25222f8fbbe0c4884dff6112c78
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32415A70918A088FDF94EFA8C4997AD7BE0FB68300F44456AD84EDB255DE309945CB85
                                                                                                                                                                                                                      Function 0E39C5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 399 e39c5b2-e39c5ea 400 e39c60a-e39c62b socket 399->400 401 e39c5ec-e39c604 call e39f942 399->401 401->400
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621775586.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2c0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: socket
                                                                                                                                                                                                                      • String ID: sock
                                                                                                                                                                                                                      • API String ID: 98920635-2415254727
                                                                                                                                                                                                                      • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                                                      • Instruction ID: d908de2517c1cb52d8f11cb6a43e97591259fbbf16acdad1ffb17e9911c06eba
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96014F70618A1C8FCB84EF1CE048B54BBE0FB59314F1545AEE85EDB266C7B0C981CB86
                                                                                                                                                                                                                      Function 0E3942DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 404 e3942dd-e394320 call e39f942 407 e3943fa-e39440e 404->407 408 e394326 404->408 409 e394328-e394339 SleepEx 408->409 409->409 410 e39433b-e394341 409->410 411 e39434b-e394352 410->411 412 e394343-e394349 410->412 414 e394370-e394376 411->414 415 e394354-e39435a 411->415 412->411 413 e39435c-e39436a call e39ef12 412->413 413->414 417 e394378-e39437e 414->417 418 e3943b7-e3943bd 414->418 415->413 415->414 417->418 422 e394380-e39438a 417->422 419 e3943bf-e3943cf call e394e72 418->419 420 e3943d4-e3943db 418->420 419->420 420->409 424 e3943e1-e3943f5 call e3940f2 420->424 422->418 425 e39438c-e3943b1 call e395432 422->425 424->409 425->418
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621775586.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2c0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Sleep
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                                                                                                      • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                                                      • Instruction ID: 66cff093944ed643a921135f43632fdd546380b5118f2ee96159dddc0be2c7dc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 53316974614B09DFDF68EF2980C82A5BBA1FB54301F44467EC92DCB206CB3498A2DF91
                                                                                                                                                                                                                      Function 0E394412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 440 e394412-e394446 call e39f942 443 e394448-e394472 call e3a1c9e CreateThread 440->443 444 e394473-e39447d 440->444
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621775586.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e2c0000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                                                                      • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                                                      • Instruction ID: 43d022744d805456e9b6fc8939bfb1784dfa5d919aad30c1cd7e2e79f1db8dbb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 47F0C230268A484FDB88EB2CD48563AB7D0EBA8214F440A3EA54DC3264DB29C9828716

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 0E20FD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                                                                                      • API String ID: 0-393284711
                                                                                                                                                                                                                      • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                                      • Instruction ID: 57b7a8ce307221813b083b92b24d4bc57429e544794fae3e914b293a6f3249b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4DE16C74528F488FC768EF68C4947AAB7E0FB68300F504A6E959FC7241DF34AA41CB85
                                                                                                                                                                                                                      Function 0E0C1D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                                                                                      • API String ID: 0-393284711
                                                                                                                                                                                                                      • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                                      • Instruction ID: 4cd5c796bbfd9db735284cc1304f7e408b6a6e1be4aafe967343b928509e762a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 07E13974618F488FC7A5EF68C4947EAB7E0FB58300F504A2E959FC7255DF30A9418B8A
                                                                                                                                                                                                                      Function 0E212792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                                                                                      • API String ID: 0-2916316912
                                                                                                                                                                                                                      • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                                      • Instruction ID: 54fe6e26c904fd87e8e091e3ce63605b69ad9ada4dc29d632dc10e0d77f5bf47
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E5B19C70528B488FDB19EF68C485AEEB7F1FFA8300F50495ED49AC7251EF7099058B86
                                                                                                                                                                                                                      Function 0E0C4792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                                                                                      • API String ID: 0-2916316912
                                                                                                                                                                                                                      • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                                      • Instruction ID: 5db7616c64353593ad7df17fc7192a4900c3de9dedb6b22df2f16d63e4e9e803
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13B16B30518B488EDB59EF68C495AEEB7F1FF98300F50491ED49AC7251EF709905CB86
                                                                                                                                                                                                                      Function 0E210622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                                                                                      • API String ID: 0-1539916866
                                                                                                                                                                                                                      • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                                      • Instruction ID: 3abd9d6b7d2f5ccd7d3b28152edb2153629a5b1a70ef3d0834197814c8212b6c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F41B370A28B088FDB14DF88A459BBD7BE6FB58700F00025ED409D7245DBB5AD858BD6
                                                                                                                                                                                                                      Function 0E0C2622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                                                                                      • API String ID: 0-1539916866
                                                                                                                                                                                                                      • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                                      • Instruction ID: 41628b5463cd811fe4715e88071a37375783b1a2ec32622439c85f4a4c1edcdc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D741B170A18F088FDB18DF88A4956BD7BF2FB48700F00025ED409D3255DBB59D458BD6
                                                                                                                                                                                                                      Function 0E217AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                                                                                      • API String ID: 0-355182820
                                                                                                                                                                                                                      • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                                      • Instruction ID: b578a1e9a0c1de51c209e600472565fb8219bcb011ed4e7ffddd2caf6d090d0a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12C16E74228B098FC759EF64C495ADAF3E5FBA4304F404B5E949AC7250DF30EA15CB86
                                                                                                                                                                                                                      Function 0E0C9AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                                                                                      • API String ID: 0-355182820
                                                                                                                                                                                                                      • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                                      • Instruction ID: 1a8d573c93cdefdf3fed89348b2484027b0e56fe13d141bb001446d62a972b34
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3AC14B70218B099FC758EF64C895ADAF3E1FB98304F404A2E949EC7250DF30E915CB86
                                                                                                                                                                                                                      Function 0E217F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                                                                                      • API String ID: 0-97273177
                                                                                                                                                                                                                      • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                                      • Instruction ID: af3b74b03b56e583966885f566a4509de14b71e8a225ce26006d7eb5f30c4d48
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F51C2315287488FD71DDF18C8912AAB7E5FBD5700F501A6EE8CBC7241DBB49A46CB82
                                                                                                                                                                                                                      Function 0E0C9F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                                                                                      • API String ID: 0-97273177
                                                                                                                                                                                                                      • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                                      • Instruction ID: f75111196acf42acf51ec9e0c829a3dd9443ca126b83d49bff064166a83b8867
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B51BF316187488FD719DF58C8812EEB7E5FB85704F501A2EE8CB87252DBB49906CB82
                                                                                                                                                                                                                      Function 0E2112F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                                      • API String ID: 0-639201278
                                                                                                                                                                                                                      • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                                      • Instruction ID: 388f1a761da8dc1bc1231c5be1f9e5d87ee03ce145009fdf6269e067da1f6e74
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FCC1A174628A194FC758EF68D495AAAF3E1FFA8300F5447A9840EC7255DF30DA42CBC6
                                                                                                                                                                                                                      Function 0E2112F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                                      • API String ID: 0-639201278
                                                                                                                                                                                                                      • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                                      • Instruction ID: c6a448941943f8045eb9d2e60a684826b11b703cc3a8cc697010f1695e247f81
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A7C19274628A194FC758EF68D495AAAF3E1FBA8300F5447A9840EC7255DF30DA42C7C6
                                                                                                                                                                                                                      Function 0E0C32F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                                      • API String ID: 0-639201278
                                                                                                                                                                                                                      • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                                      • Instruction ID: 3912ec41388e7ba92a5d9081b476df82f9d39ac0764c0c6700841d585520260b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D1C17E70628A194FC758EB68D495AEEF3E1FB98300F55866D840EC7250DF30ED06CB86
                                                                                                                                                                                                                      Function 0E0C32F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                                      • API String ID: 0-639201278
                                                                                                                                                                                                                      • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                                      • Instruction ID: 414fc7602fdd541f931f9b5ce945f4e3541083b1bc41bf944a77b68639076129
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1EC17E70628A194FC758EB68D495AEEF3E1FB98300F55866D940EC7250DF30ED06CB86
                                                                                                                                                                                                                      Function 0E212CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                                      • API String ID: 0-2058692283
                                                                                                                                                                                                                      • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                                      • Instruction ID: 37e82299e0468c525fe813615ec753a88839d499db866e410a609ddd5323b30b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92A191706287488FDB19EFA8D4447EEB7E1FF98300F40466EE48AD7251EF709A458789
                                                                                                                                                                                                                      Function 0E0C4CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                                      • API String ID: 0-2058692283
                                                                                                                                                                                                                      • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                                      • Instruction ID: f8f161320de2c012201bd2102401fa37badf3564e7b0f878d2fac3734808385f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7FA19F706187488BDB19EFA8D4447EEB7E1FF88310F40462DD48AD7251EB709946C789
                                                                                                                                                                                                                      Function 0E212CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                                      • API String ID: 0-2058692283
                                                                                                                                                                                                                      • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                                      • Instruction ID: 1272cba09f5b73c7675dfc350f5401a44a36db2dfc3d633ee447e08083a2b136
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B29180706287488FDB19EFA8D444BEEB7E1FF98300F40466EE48AD7251EF709A458785
                                                                                                                                                                                                                      Function 0E0C4CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                                      • API String ID: 0-2058692283
                                                                                                                                                                                                                      • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                                      • Instruction ID: 433f0bea650c77f9518910423b9b3dadbcf1dabe47412181b786dafce9f33f00
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 89917F706187488BDB19EFA8D484BEEB7E1FB98300F40462DD48AD7251EB749946C789
                                                                                                                                                                                                                      Function 0E212352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $.$e$n$v
                                                                                                                                                                                                                      • API String ID: 0-1849617553
                                                                                                                                                                                                                      • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                                      • Instruction ID: 8ff3ca236c0223f8d0215d0ab53726b1023e1cf6d259b2cc74a733988c31e408
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 47719371628B498FD759EF68C4847AAB7F1FFA8304F00066EE44AC7221EB71DD458B85
                                                                                                                                                                                                                      Function 0E0C4352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $.$e$n$v
                                                                                                                                                                                                                      • API String ID: 0-1849617553
                                                                                                                                                                                                                      • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                                      • Instruction ID: e0c2b04d0e79236a2d8623bdabd1a04aa94fafa737ecfc10243fa86b64fa1251
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 19716031618B498FD758EFA8C4886EEB7F1FF58304F100A2EE45AC7261EB71D9458B85
                                                                                                                                                                                                                      Function 0E20DC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                                                                                      • API String ID: 0-1970020201
                                                                                                                                                                                                                      • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                                      • Instruction ID: 354f0aa256ab43ad13f5423f0e33e0629ef620c8d42188255523e9e657e4f579
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F515EB0914B4C8FDB55EFA4C0446EEB7F1FF68300F404A2E959AE7254EF3096418B89
                                                                                                                                                                                                                      Function 0E0BFC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                                                                                      • API String ID: 0-1970020201
                                                                                                                                                                                                                      • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                                      • Instruction ID: 129ff5603e23123b0e0d1137290461a20b10ddda0a7f0f4a17be3e2cd2a67150
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7F513CB0918B4D8BDB54EFA4C445AEEB7F1FF58300F404A2E959AE7214EF7095418B8A
                                                                                                                                                                                                                      Function 0E20E86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4$\$dll$ion.$vers
                                                                                                                                                                                                                      • API String ID: 0-1610437797
                                                                                                                                                                                                                      • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                                      • Instruction ID: 1290cd1766e3ab143121b23fe3847299f464b39b631aa95bee6b108877cd7b07
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8741A534228B4D8FDB79EF6498557EA73E4FB98301F414A6E984EC7281DF30DA458782
                                                                                                                                                                                                                      Function 0E0C086F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 4$\$dll$ion.$vers
                                                                                                                                                                                                                      • API String ID: 0-1610437797
                                                                                                                                                                                                                      • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                                      • Instruction ID: 0470c261d1fe52f32547f54b1a4392f75a0bbee11c72dd92c9b9a454989a9833
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71414F31618B4C8BCBA9EF2498557EE77E4FB98301F504A2E999EC7240EF70D945C782
                                                                                                                                                                                                                      Function 0E2104B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                                                                                      • API String ID: 0-327345718
                                                                                                                                                                                                                      • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                                      • Instruction ID: 8a3489afa0e8ca90fbb4d13aa6d87c841211aee2b37bf2b8deaf667ce94645ca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12417370A28E0D9FCB54EF58C0947AD77E5FB68300F5045AA980ED7210DA75DA80CBC6
                                                                                                                                                                                                                      Function 0E0C24B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                                                                                      • API String ID: 0-327345718
                                                                                                                                                                                                                      • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                                      • Instruction ID: 8bc6e817af3a05fd445dcc9dca17caa655f05c499f593b1ba8e9023998594d53
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1416070A18E0D8FCB98EF68C1A57EE77E1FB58340F50456EA80ED7610EA70D9408BC6
                                                                                                                                                                                                                      Function 0E20E432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$el32$h$kern
                                                                                                                                                                                                                      • API String ID: 0-4264704552
                                                                                                                                                                                                                      • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                                      • Instruction ID: 17767da638bef555331e70805a620ae80d78fe6134945213cdd823b27d2a14ff
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79418670618B494FDB69DF28849436AB7E1FB98300F104E6E949EC3296DF70C985CB42
                                                                                                                                                                                                                      Function 0E0C0432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$el32$h$kern
                                                                                                                                                                                                                      • API String ID: 0-4264704552
                                                                                                                                                                                                                      • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                                      • Instruction ID: 83199b0329d6f8e334ee384f98c5a02f3c8ec1b60b51990b573c77ace098f5c2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A6417F70608B4D8FD7A9DF2884843AFB7E1FBA8340F104A2E949EC3265DB70D945CB81
                                                                                                                                                                                                                      Function 0E2150B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $Snif$f fr$om:
                                                                                                                                                                                                                      • API String ID: 0-3434893486
                                                                                                                                                                                                                      • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                                      • Instruction ID: 86b2ba1eba4f656b7f98527aa5f1baa6b0464ded216f2b8dc8de8c92293ac094
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A431357552DB885FC71AEB28C4846DAB7D4FBA4300F504D5EE49BC7251EE30AA49CB83
                                                                                                                                                                                                                      Function 0E0C70B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $Snif$f fr$om:
                                                                                                                                                                                                                      • API String ID: 0-3434893486
                                                                                                                                                                                                                      • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                                      • Instruction ID: f6fd8c10cbbdab15e897c45747970b6a85bf7c7489b528e81e7c4cf625664a2f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1931BE7150CB886FD71AEB68C4846DEB7D4FB94300F504D1EE49BC7251EE30A94ACA42
                                                                                                                                                                                                                      Function 0E2150C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $Snif$f fr$om:
                                                                                                                                                                                                                      • API String ID: 0-3434893486
                                                                                                                                                                                                                      • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                                      • Instruction ID: 4f6cd8537b3488dfb352f4d0d700bc81660e94579dc83af99d4e1f555cba153e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7F310475428B485FC31AEB28C4846DAB3D4FBE4300F404D5EE49BC3241EE30AA49CB83
                                                                                                                                                                                                                      Function 0E0C70C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $Snif$f fr$om:
                                                                                                                                                                                                                      • API String ID: 0-3434893486
                                                                                                                                                                                                                      • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                                      • Instruction ID: caf15849f8ad3dc49553d56e30f6e0c3723a7441e7dbb3bd822914efadf38ae3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0131C071508B486FD72AEB68C4856EEB7D4FB94300F504D1EE49BC7251EE30A906CE42
                                                                                                                                                                                                                      Function 0E210FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                                      • API String ID: 0-3136806129
                                                                                                                                                                                                                      • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                                      • Instruction ID: dc26481b8dc1e11b0503675db6963dbd0984eba0b520af6e229b871c10eec9e5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AA31A274629B484FC784EF688494BAAB7E1FFE8300F940AAD984EC7255DF30CA05C742
                                                                                                                                                                                                                      Function 0E0C2FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                                      • API String ID: 0-3136806129
                                                                                                                                                                                                                      • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                                      • Instruction ID: 6b2a4238c1daaf0bc803c9f7ec4203868addfda297c89f553877d68486c94400
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 78318E31218B484FCB84EF688495BAEB7E1FF98300F944A6D944ECB255DF30D905CB92
                                                                                                                                                                                                                      Function 0E210FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                                      • API String ID: 0-3136806129
                                                                                                                                                                                                                      • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                                      • Instruction ID: d108214322fde738f61ee073da990aeead6dd649c88092a1fc005cb6b2378ed1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C319274229B484FC794EF6884947AAB7E1FFE8300F944AAD944AC7255DF30CA05C746
                                                                                                                                                                                                                      Function 0E0C2FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                                      • API String ID: 0-3136806129
                                                                                                                                                                                                                      • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                                      • Instruction ID: 1e8e7415bde2257728c6d151a2f7146949c09d2670b766cbc6a23d60574b2ed5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02316D71218B484FC794EF688494BAEB7E1FF98300F944A6D944ECB255DF30C905CB96
                                                                                                                                                                                                                      Function 0E2138C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 0-319646191
                                                                                                                                                                                                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction ID: fd12341dda90933f51613345713d7abfff14c561f3598d09963697c449a6aade
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B31E371624A0C8FCB15EFA8C8857EDB7E1FF68204F40466AD54ED7240DF788A45C789
                                                                                                                                                                                                                      Function 0E0C58C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 0-319646191
                                                                                                                                                                                                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction ID: df324f0a4c0c320e39e4f7c5d376207fb8fcbe03da10e2369e8902667a352a6a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4331D131614A0C8BDB54EFA8C8857EDB7E1FB58214F40462ED44ED7240DE748A45C78A
                                                                                                                                                                                                                      Function 0E2138BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 0-319646191
                                                                                                                                                                                                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction ID: 11bf40b585e17e593160c0a3cc77ba9ed240452820b1aa4a2b19b7de69fa19b3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB210470A20A0C8BCB15EFA8C8847EDBBE5FF68204F40466AD45AD7240DF748B44C789
                                                                                                                                                                                                                      Function 0E0C58BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                                      • API String ID: 0-319646191
                                                                                                                                                                                                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction ID: 990f9689e8e85f53ae6b0f0947659dc8f7bab873b3d5619d21491480cec0ca6e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C921D230A10A0C8BDB54EFA8C8857EDBBE1FF58204F40462EE45AD7250DF749A45CB8A
                                                                                                                                                                                                                      Function 0E214E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .$l$l$t
                                                                                                                                                                                                                      • API String ID: 0-168566397
                                                                                                                                                                                                                      • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                                      • Instruction ID: f3c8ed52dfdc69130d7f216530179eac1ceb712d221c94d55ba3f5f3dea947f4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8A218DB4A24A0D9FDB08EFA8C4447ADBBF1FF68310F504A6ED009D3610DB759A91CB84
                                                                                                                                                                                                                      Function 0E214E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .$l$l$t
                                                                                                                                                                                                                      • API String ID: 0-168566397
                                                                                                                                                                                                                      • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                                      • Instruction ID: 8a147fb81c347d8f50d3b34289b923fc43c2314724ae5e760a495b41ee21dc4d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B217CB4A24A0D9BDB08EFA8D4447EDBBF1FF68314F504A6ED009D3600DB759A95CB84
                                                                                                                                                                                                                      Function 0E0C6E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .$l$l$t
                                                                                                                                                                                                                      • API String ID: 0-168566397
                                                                                                                                                                                                                      • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                                      • Instruction ID: 92c526ecbb296a9a5fc610a91141980c30adc41741f5a7fb2c7a55181499dbb7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AC216D70A24A0D9BEB48EFA8D4847EDBBF1FB18314F504A2ED14DE3600DB749991CB84
                                                                                                                                                                                                                      Function 0E0C6E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .$l$l$t
                                                                                                                                                                                                                      • API String ID: 0-168566397
                                                                                                                                                                                                                      • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                                      • Instruction ID: a62409c80658c169b75a5928ce4cf63dbb37771c962c7643099607dfa8805813
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3A215E70A14A0D9FDB44EFA8D0847EDBAF1FB58314F504A2ED14DE3610DB749991CB84
                                                                                                                                                                                                                      Function 0E214FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4621223587.000000000E170000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E170000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e170000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: auth$logi$pass$user
                                                                                                                                                                                                                      • API String ID: 0-2393853802
                                                                                                                                                                                                                      • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                                      • Instruction ID: 37fbacab9593ab6c247c038d0293cd56ba7610cf8174b6ce48effa3164e4aeea
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F21C070624B0D8BCB05DF9998906EEB7E1EF88354F00465AD40ADB245D7B2DE148BC2
                                                                                                                                                                                                                      Function 0E0C6FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000006.00000002.4620941223.000000000E030000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E030000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_6_2_e030000_explorer.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: auth$logi$pass$user
                                                                                                                                                                                                                      • API String ID: 0-2393853802
                                                                                                                                                                                                                      • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                                      • Instruction ID: cf8189bb998c05dcab183fc8d30bb2103fae5bb31a12a6d55e01c93ef6ed3f65
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6221AC30624B0D8BCB45DFA998906EEB7E1EF98344F044A1EA40AEB244D7B0DD14CBC6

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:1.9%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:6.7%
                                                                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                                                                      Total number of Nodes:625
                                                                                                                                                                                                                      Total number of Limit Nodes:83
                                                                                                                                                                                                                      execution_graph 100692 550cb84 100695 550a042 100692->100695 100694 550cba5 100697 550a06b 100695->100697 100696 550a56c 100696->100694 100697->100696 100698 550a182 NtQueryInformationProcess 100697->100698 100700 550a1ba 100698->100700 100699 550a1ef 100699->100694 100700->100699 100701 550a290 100700->100701 100702 550a2db 100700->100702 100724 5509de2 NtCreateSection NtMapViewOfSection NtClose 100701->100724 100703 550a2fc NtSuspendThread 100702->100703 100704 550a30d 100703->100704 100707 550a331 100703->100707 100704->100694 100706 550a2cf 100706->100694 100710 550a412 100707->100710 100715 5509bb2 100707->100715 100709 550a531 100711 550a552 NtResumeThread 100709->100711 100710->100709 100712 550a4a6 NtSetContextThread 100710->100712 100711->100696 100713 550a4bd 100712->100713 100713->100709 100714 550a51c NtQueueApcThread 100713->100714 100714->100709 100716 5509bf7 100715->100716 100717 5509c66 NtCreateSection 100716->100717 100718 5509ca0 100717->100718 100719 5509d4e 100717->100719 100720 5509cc1 NtMapViewOfSection 100718->100720 100719->100710 100720->100719 100721 5509d0c 100720->100721 100721->100719 100722 5509d88 100721->100722 100723 5509dc5 NtClose 100722->100723 100723->100710 100724->100706 100725 4c79050 100736 4c7bd10 100725->100736 100727 4c7916c 100728 4c7908b 100728->100727 100739 4c6acf0 100728->100739 100732 4c790f0 Sleep 100733 4c790dd 100732->100733 100733->100727 100733->100732 100748 4c78c70 LdrLoadDll 100733->100748 100749 4c78e80 LdrLoadDll 100733->100749 100750 4c7a510 100736->100750 100738 4c7bd3d 100738->100728 100740 4c6ad14 100739->100740 100741 4c6ad1b 100740->100741 100742 4c6ad50 LdrLoadDll 100740->100742 100743 4c74e50 100741->100743 100742->100741 100744 4c74e6a 100743->100744 100745 4c74e5e 100743->100745 100744->100733 100745->100744 100757 4c752d0 LdrLoadDll 100745->100757 100747 4c74fbc 100747->100733 100748->100733 100749->100733 100751 4c7a52c NtAllocateVirtualMemory 100750->100751 100753 4c7af30 100750->100753 100751->100738 100754 4c7af40 100753->100754 100756 4c7af62 100753->100756 100755 4c74e50 LdrLoadDll 100754->100755 100755->100756 100756->100751 100757->100747 100761 5792ad0 LdrInitializeThunk 100762 4c7f19d 100765 4c7b9a0 100762->100765 100766 4c7b9c6 100765->100766 100773 4c69d40 100766->100773 100768 4c7b9d2 100769 4c7b9f6 100768->100769 100781 4c68f30 100768->100781 100819 4c7a680 100769->100819 100822 4c69c90 100773->100822 100775 4c69d4d 100776 4c69d54 100775->100776 100834 4c69c30 100775->100834 100776->100768 100782 4c68f57 100781->100782 101236 4c6b1c0 100782->101236 100784 4c68f69 101240 4c6af10 100784->101240 100786 4c68f86 100793 4c68f8d 100786->100793 101311 4c6ae40 LdrLoadDll 100786->101311 100789 4c68ffc 101256 4c6f410 100789->101256 100791 4c69006 100792 4c7bf60 2 API calls 100791->100792 100815 4c690f2 100791->100815 100794 4c6902a 100792->100794 100793->100815 101244 4c6f380 100793->101244 100795 4c7bf60 2 API calls 100794->100795 100796 4c6903b 100795->100796 100797 4c7bf60 2 API calls 100796->100797 100798 4c6904c 100797->100798 101268 4c6ca90 100798->101268 100800 4c69059 100801 4c74a50 8 API calls 100800->100801 100802 4c69066 100801->100802 100803 4c74a50 8 API calls 100802->100803 100804 4c69077 100803->100804 100805 4c69084 100804->100805 100806 4c690a5 100804->100806 101278 4c6d620 100805->101278 100808 4c74a50 8 API calls 100806->100808 100814 4c690c1 100808->100814 100810 4c690e9 100812 4c68d00 23 API calls 100810->100812 100812->100815 100813 4c69092 101294 4c68d00 100813->101294 100814->100810 101312 4c6d6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 100814->101312 100815->100769 100820 4c7af30 LdrLoadDll 100819->100820 100821 4c7a69f 100820->100821 100853 4c78b90 100822->100853 100826 4c69cb6 100826->100775 100827 4c69cac 100827->100826 100860 4c7b280 100827->100860 100829 4c69cf3 100829->100826 100871 4c69ab0 100829->100871 100831 4c69d13 100877 4c69620 LdrLoadDll 100831->100877 100833 4c69d25 100833->100775 100835 4c69c4a 100834->100835 100836 4c7b570 LdrLoadDll 100834->100836 101215 4c7b570 100835->101215 100836->100835 100839 4c7b570 LdrLoadDll 100840 4c69c71 100839->100840 100841 4c6f180 100840->100841 100842 4c6f199 100841->100842 101219 4c6b040 100842->101219 100844 4c6f1ac 101223 4c7a1b0 100844->101223 100847 4c69d65 100847->100768 100849 4c6f1d2 100850 4c6f1fd 100849->100850 101229 4c7a230 100849->101229 100851 4c7a460 2 API calls 100850->100851 100851->100847 100854 4c78b9f 100853->100854 100855 4c74e50 LdrLoadDll 100854->100855 100856 4c69ca3 100855->100856 100857 4c78a40 100856->100857 100878 4c7a5d0 100857->100878 100861 4c7b299 100860->100861 100881 4c74a50 100861->100881 100863 4c7b2b1 100864 4c7b2ba 100863->100864 100920 4c7b0c0 100863->100920 100864->100829 100866 4c7b2ce 100866->100864 100938 4c79ed0 100866->100938 100874 4c69aca 100871->100874 101193 4c67ea0 100871->101193 100873 4c69ad1 100873->100831 100874->100873 101206 4c68160 100874->101206 100877->100833 100879 4c7af30 LdrLoadDll 100878->100879 100880 4c78a55 100879->100880 100880->100827 100882 4c74d85 100881->100882 100892 4c74a64 100881->100892 100882->100863 100884 4c74b44 100885 4c74b73 100884->100885 100886 4c74b90 100884->100886 100890 4c74b7d 100884->100890 101008 4c7a430 LdrLoadDll 100885->101008 100951 4c7a330 100886->100951 100889 4c74bb7 100891 4c7bd90 2 API calls 100889->100891 100890->100863 100895 4c74bc3 100891->100895 100892->100882 100946 4c79c20 100892->100946 100893 4c74d49 100896 4c7a460 2 API calls 100893->100896 100894 4c74d5f 101017 4c74790 LdrLoadDll NtReadFile NtClose 100894->101017 100895->100890 100895->100893 100895->100894 100900 4c74c52 100895->100900 100897 4c74d50 100896->100897 100897->100863 100899 4c74d72 100899->100863 100901 4c74cb9 100900->100901 100903 4c74c61 100900->100903 100901->100893 100902 4c74ccc 100901->100902 101010 4c7a2b0 100902->101010 100905 4c74c66 100903->100905 100906 4c74c7a 100903->100906 101009 4c74650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 100905->101009 100909 4c74c97 100906->100909 100910 4c74c7f 100906->100910 100909->100897 100966 4c74410 100909->100966 100954 4c746f0 100910->100954 100912 4c74c70 100912->100863 100914 4c74d2c 101014 4c7a460 100914->101014 100915 4c74c8d 100915->100863 100917 4c74caf 100917->100863 100919 4c74d38 100919->100863 100921 4c7b0d1 100920->100921 100922 4c7b0e3 100921->100922 100923 4c7bd10 2 API calls 100921->100923 100922->100866 100924 4c7b104 100923->100924 101038 4c74070 100924->101038 100926 4c7b150 100926->100866 100927 4c7b127 100927->100926 100928 4c74070 3 API calls 100927->100928 100929 4c7b149 100928->100929 100929->100926 101070 4c75390 100929->101070 100931 4c7b1da 100933 4c7b1ea 100931->100933 101164 4c7aed0 LdrLoadDll 100931->101164 101080 4c7ad40 100933->101080 100935 4c7b218 101159 4c79e90 100935->101159 100939 4c7af30 LdrLoadDll 100938->100939 100940 4c79eec 100939->100940 101187 5792c0a 100940->101187 100941 4c79f07 100943 4c7bd90 100941->100943 101190 4c7a640 100943->101190 100945 4c7b329 100945->100829 100947 4c79c3c 100946->100947 100948 4c7af30 LdrLoadDll 100946->100948 100947->100884 100949 4c7af30 LdrLoadDll 100947->100949 100948->100947 100950 4c79c7c 100949->100950 100950->100884 100952 4c7af30 LdrLoadDll 100951->100952 100953 4c7a34c NtCreateFile 100952->100953 100953->100889 100955 4c7470c 100954->100955 100956 4c7a2b0 LdrLoadDll 100955->100956 100957 4c7472d 100956->100957 100958 4c74734 100957->100958 100959 4c74748 100957->100959 100960 4c7a460 2 API calls 100958->100960 100961 4c7a460 2 API calls 100959->100961 100962 4c7473d 100960->100962 100963 4c74751 100961->100963 100962->100915 101018 4c7bfa0 LdrLoadDll RtlAllocateHeap 100963->101018 100965 4c7475c 100965->100915 100967 4c7448e 100966->100967 100968 4c7445b 100966->100968 100969 4c745d9 100967->100969 100973 4c744aa 100967->100973 100970 4c7a2b0 LdrLoadDll 100968->100970 100971 4c7a2b0 LdrLoadDll 100969->100971 100972 4c74476 100970->100972 100974 4c745f4 100971->100974 100975 4c7a460 2 API calls 100972->100975 100976 4c7a2b0 LdrLoadDll 100973->100976 101034 4c7a2f0 LdrLoadDll 100974->101034 100977 4c7447f 100975->100977 100978 4c744c5 100976->100978 100977->100917 100980 4c744e1 100978->100980 100981 4c744cc 100978->100981 100984 4c744e6 100980->100984 100985 4c744fc 100980->100985 100983 4c7a460 2 API calls 100981->100983 100982 4c7462e 100986 4c7a460 2 API calls 100982->100986 100987 4c744d5 100983->100987 100988 4c7a460 2 API calls 100984->100988 100993 4c74501 100985->100993 101019 4c7bf60 100985->101019 100989 4c74639 100986->100989 100987->100917 100990 4c744ef 100988->100990 100989->100917 100990->100917 101001 4c74513 100993->101001 101022 4c7a3e0 100993->101022 100994 4c74567 100995 4c7457e 100994->100995 101033 4c7a270 LdrLoadDll 100994->101033 100997 4c74585 100995->100997 100998 4c7459a 100995->100998 101000 4c7a460 2 API calls 100997->101000 100999 4c7a460 2 API calls 100998->100999 101002 4c745a3 100999->101002 101000->101001 101001->100917 101003 4c745cf 101002->101003 101028 4c7bb60 101002->101028 101003->100917 101005 4c745ba 101006 4c7bd90 2 API calls 101005->101006 101007 4c745c3 101006->101007 101007->100917 101008->100890 101009->100912 101011 4c7af30 LdrLoadDll 101010->101011 101012 4c74d14 101011->101012 101013 4c7a2f0 LdrLoadDll 101012->101013 101013->100914 101015 4c7af30 LdrLoadDll 101014->101015 101016 4c7a47c NtClose 101015->101016 101016->100919 101017->100899 101018->100965 101035 4c7a600 101019->101035 101021 4c7bf78 101021->100993 101023 4c7a3fc NtReadFile 101022->101023 101024 4c7af30 LdrLoadDll 101022->101024 101023->100994 101025 4c7a436 101023->101025 101024->101023 101026 4c7af30 LdrLoadDll 101025->101026 101027 4c7a44c 101026->101027 101027->100994 101029 4c7bb84 101028->101029 101030 4c7bb6d 101028->101030 101029->101005 101030->101029 101031 4c7bf60 2 API calls 101030->101031 101032 4c7bb9b 101031->101032 101032->101005 101033->100995 101034->100982 101036 4c7af30 LdrLoadDll 101035->101036 101037 4c7a61c RtlAllocateHeap 101036->101037 101037->101021 101039 4c74081 101038->101039 101040 4c74089 101038->101040 101039->100927 101069 4c7435c 101040->101069 101165 4c7cf00 101040->101165 101042 4c740dd 101043 4c7cf00 2 API calls 101042->101043 101046 4c740e8 101043->101046 101044 4c74136 101047 4c7cf00 2 API calls 101044->101047 101046->101044 101173 4c7cfa0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 101046->101173 101174 4c7d030 101046->101174 101050 4c7414a 101047->101050 101049 4c741a7 101051 4c7cf00 2 API calls 101049->101051 101050->101049 101053 4c7d030 3 API calls 101050->101053 101052 4c741bd 101051->101052 101054 4c741fa 101052->101054 101056 4c7d030 3 API calls 101052->101056 101053->101050 101055 4c7cf00 2 API calls 101054->101055 101057 4c74205 101055->101057 101056->101052 101058 4c7d030 3 API calls 101057->101058 101064 4c7423f 101057->101064 101058->101057 101061 4c7cf60 2 API calls 101062 4c7433e 101061->101062 101063 4c7cf60 2 API calls 101062->101063 101065 4c74348 101063->101065 101170 4c7cf60 101064->101170 101066 4c7cf60 2 API calls 101065->101066 101067 4c74352 101066->101067 101068 4c7cf60 2 API calls 101067->101068 101068->101069 101069->100927 101071 4c753a1 101070->101071 101072 4c74a50 8 API calls 101071->101072 101074 4c753b7 101072->101074 101073 4c7540a 101073->100931 101074->101073 101075 4c75405 101074->101075 101076 4c753f2 101074->101076 101078 4c7bd90 2 API calls 101075->101078 101077 4c7bd90 2 API calls 101076->101077 101079 4c753f7 101077->101079 101078->101073 101079->100931 101180 4c7ac00 101080->101180 101083 4c7ac00 LdrLoadDll 101084 4c7ad5d 101083->101084 101085 4c7ac00 LdrLoadDll 101084->101085 101086 4c7ad66 101085->101086 101087 4c7ac00 LdrLoadDll 101086->101087 101088 4c7ad6f 101087->101088 101089 4c7ac00 LdrLoadDll 101088->101089 101090 4c7ad78 101089->101090 101091 4c7ac00 LdrLoadDll 101090->101091 101092 4c7ad81 101091->101092 101093 4c7ac00 LdrLoadDll 101092->101093 101094 4c7ad8d 101093->101094 101095 4c7ac00 LdrLoadDll 101094->101095 101096 4c7ad96 101095->101096 101097 4c7ac00 LdrLoadDll 101096->101097 101098 4c7ad9f 101097->101098 101099 4c7ac00 LdrLoadDll 101098->101099 101100 4c7ada8 101099->101100 101101 4c7ac00 LdrLoadDll 101100->101101 101102 4c7adb1 101101->101102 101103 4c7ac00 LdrLoadDll 101102->101103 101104 4c7adba 101103->101104 101105 4c7ac00 LdrLoadDll 101104->101105 101106 4c7adc6 101105->101106 101107 4c7ac00 LdrLoadDll 101106->101107 101108 4c7adcf 101107->101108 101109 4c7ac00 LdrLoadDll 101108->101109 101110 4c7add8 101109->101110 101111 4c7ac00 LdrLoadDll 101110->101111 101112 4c7ade1 101111->101112 101113 4c7ac00 LdrLoadDll 101112->101113 101114 4c7adea 101113->101114 101115 4c7ac00 LdrLoadDll 101114->101115 101116 4c7adf3 101115->101116 101117 4c7ac00 LdrLoadDll 101116->101117 101118 4c7adff 101117->101118 101119 4c7ac00 LdrLoadDll 101118->101119 101120 4c7ae08 101119->101120 101121 4c7ac00 LdrLoadDll 101120->101121 101122 4c7ae11 101121->101122 101123 4c7ac00 LdrLoadDll 101122->101123 101124 4c7ae1a 101123->101124 101125 4c7ac00 LdrLoadDll 101124->101125 101126 4c7ae23 101125->101126 101127 4c7ac00 LdrLoadDll 101126->101127 101128 4c7ae2c 101127->101128 101129 4c7ac00 LdrLoadDll 101128->101129 101130 4c7ae38 101129->101130 101131 4c7ac00 LdrLoadDll 101130->101131 101132 4c7ae41 101131->101132 101133 4c7ac00 LdrLoadDll 101132->101133 101134 4c7ae4a 101133->101134 101135 4c7ac00 LdrLoadDll 101134->101135 101136 4c7ae53 101135->101136 101137 4c7ac00 LdrLoadDll 101136->101137 101138 4c7ae5c 101137->101138 101139 4c7ac00 LdrLoadDll 101138->101139 101140 4c7ae65 101139->101140 101141 4c7ac00 LdrLoadDll 101140->101141 101142 4c7ae71 101141->101142 101143 4c7ac00 LdrLoadDll 101142->101143 101144 4c7ae7a 101143->101144 101145 4c7ac00 LdrLoadDll 101144->101145 101146 4c7ae83 101145->101146 101147 4c7ac00 LdrLoadDll 101146->101147 101148 4c7ae8c 101147->101148 101149 4c7ac00 LdrLoadDll 101148->101149 101150 4c7ae95 101149->101150 101151 4c7ac00 LdrLoadDll 101150->101151 101152 4c7ae9e 101151->101152 101153 4c7ac00 LdrLoadDll 101152->101153 101154 4c7aeaa 101153->101154 101155 4c7ac00 LdrLoadDll 101154->101155 101156 4c7aeb3 101155->101156 101157 4c7ac00 LdrLoadDll 101156->101157 101158 4c7aebc 101157->101158 101158->100935 101160 4c7af30 LdrLoadDll 101159->101160 101161 4c79eac 101160->101161 101186 5792df0 LdrInitializeThunk 101161->101186 101162 4c79ec3 101162->100866 101164->100933 101166 4c7cf16 101165->101166 101167 4c7cf10 101165->101167 101168 4c7bf60 2 API calls 101166->101168 101167->101042 101169 4c7cf3c 101168->101169 101169->101042 101171 4c7bd90 2 API calls 101170->101171 101172 4c74334 101171->101172 101172->101061 101173->101046 101175 4c7cfa0 101174->101175 101176 4c7cffd 101175->101176 101177 4c7bf60 2 API calls 101175->101177 101176->101046 101178 4c7cfda 101177->101178 101179 4c7bd90 2 API calls 101178->101179 101179->101176 101181 4c7ac1b 101180->101181 101182 4c74e50 LdrLoadDll 101181->101182 101183 4c7ac3b 101182->101183 101184 4c74e50 LdrLoadDll 101183->101184 101185 4c7ace7 101183->101185 101184->101185 101185->101083 101186->101162 101188 5792c1f LdrInitializeThunk 101187->101188 101189 5792c11 101187->101189 101188->100941 101189->100941 101191 4c7a65c RtlFreeHeap 101190->101191 101192 4c7af30 LdrLoadDll 101190->101192 101191->100945 101192->101191 101194 4c67eb0 101193->101194 101195 4c67eab 101193->101195 101196 4c7bd10 2 API calls 101194->101196 101195->100874 101202 4c67ed5 101196->101202 101197 4c67f38 101197->100874 101198 4c79e90 2 API calls 101198->101202 101199 4c67f3e 101201 4c67f64 101199->101201 101203 4c7a590 2 API calls 101199->101203 101201->100874 101202->101197 101202->101198 101202->101199 101204 4c7bd10 2 API calls 101202->101204 101209 4c7a590 101202->101209 101205 4c67f55 101203->101205 101204->101202 101205->100874 101207 4c6817e 101206->101207 101208 4c7a590 2 API calls 101206->101208 101207->100831 101208->101207 101210 4c7a5ac 101209->101210 101211 4c7af30 LdrLoadDll 101209->101211 101214 5792c70 LdrInitializeThunk 101210->101214 101211->101210 101212 4c7a5c3 101212->101202 101214->101212 101216 4c7b593 101215->101216 101217 4c6acf0 LdrLoadDll 101216->101217 101218 4c69c5b 101217->101218 101218->100839 101220 4c6b063 101219->101220 101222 4c6b0e0 101220->101222 101234 4c79c60 LdrLoadDll 101220->101234 101222->100844 101224 4c7af30 LdrLoadDll 101223->101224 101225 4c6f1bb 101224->101225 101225->100847 101226 4c7a7a0 101225->101226 101227 4c7af30 LdrLoadDll 101226->101227 101228 4c7a7bf LookupPrivilegeValueW 101227->101228 101228->100849 101230 4c7a24c 101229->101230 101231 4c7af30 LdrLoadDll 101229->101231 101235 5792ea0 LdrInitializeThunk 101230->101235 101231->101230 101232 4c7a26b 101232->100850 101234->101222 101235->101232 101237 4c6b1f0 101236->101237 101238 4c6b040 LdrLoadDll 101237->101238 101239 4c6b204 101238->101239 101239->100784 101241 4c6af34 101240->101241 101313 4c79c60 LdrLoadDll 101241->101313 101243 4c6af6e 101243->100786 101245 4c6f3ac 101244->101245 101246 4c6b1c0 LdrLoadDll 101245->101246 101247 4c6f3be 101246->101247 101314 4c6f290 101247->101314 101250 4c6f3f1 101253 4c6f402 101250->101253 101255 4c7a460 2 API calls 101250->101255 101251 4c6f3d9 101252 4c6f3e4 101251->101252 101254 4c7a460 2 API calls 101251->101254 101252->100789 101253->100789 101254->101252 101255->101253 101257 4c6f43c 101256->101257 101333 4c6b2b0 101257->101333 101259 4c6f44e 101260 4c6f290 3 API calls 101259->101260 101261 4c6f45f 101260->101261 101262 4c6f481 101261->101262 101263 4c6f469 101261->101263 101264 4c6f492 101262->101264 101267 4c7a460 2 API calls 101262->101267 101265 4c6f474 101263->101265 101266 4c7a460 2 API calls 101263->101266 101264->100791 101265->100791 101266->101265 101267->101264 101269 4c6caa6 101268->101269 101270 4c6cab0 101268->101270 101269->100800 101271 4c6af10 LdrLoadDll 101270->101271 101272 4c6cb4e 101271->101272 101273 4c6cb74 101272->101273 101274 4c6b040 LdrLoadDll 101272->101274 101273->100800 101275 4c6cb90 101274->101275 101276 4c74a50 8 API calls 101275->101276 101277 4c6cbe5 101276->101277 101277->100800 101279 4c6d646 101278->101279 101280 4c6b040 LdrLoadDll 101279->101280 101281 4c6d65a 101280->101281 101337 4c6d310 101281->101337 101284 4c6cc00 101285 4c6cc0d 101284->101285 101286 4c6b040 LdrLoadDll 101285->101286 101287 4c6cca9 101285->101287 101286->101287 101288 4c6b040 LdrLoadDll 101287->101288 101289 4c6cd16 101288->101289 101290 4c6af10 LdrLoadDll 101289->101290 101291 4c6cd7f 101290->101291 101292 4c6b040 LdrLoadDll 101291->101292 101293 4c6ce2f 101292->101293 101293->100813 101297 4c68d14 101294->101297 101365 4c6f6d0 101294->101365 101296 4c68f25 101296->100769 101297->101296 101370 4c743a0 101297->101370 101299 4c68d70 101299->101296 101373 4c68ab0 101299->101373 101302 4c7cf00 2 API calls 101303 4c68db2 101302->101303 101304 4c7d030 3 API calls 101303->101304 101308 4c68dc7 101304->101308 101305 4c67ea0 4 API calls 101305->101308 101308->101296 101308->101305 101309 4c6c7b0 18 API calls 101308->101309 101310 4c68160 2 API calls 101308->101310 101379 4c6f670 101308->101379 101383 4c6f080 21 API calls 101308->101383 101309->101308 101310->101308 101311->100793 101312->100810 101313->101243 101315 4c6f360 101314->101315 101316 4c6f2aa 101314->101316 101315->101250 101315->101251 101317 4c6b040 LdrLoadDll 101316->101317 101318 4c6f2cc 101317->101318 101324 4c79f10 101318->101324 101320 4c6f30e 101327 4c79f50 101320->101327 101323 4c7a460 2 API calls 101323->101315 101325 4c79f2c 101324->101325 101326 4c7af30 LdrLoadDll 101324->101326 101325->101320 101326->101325 101328 4c7af30 LdrLoadDll 101327->101328 101329 4c79f6c 101328->101329 101332 57935c0 LdrInitializeThunk 101329->101332 101330 4c6f354 101330->101323 101332->101330 101334 4c6b2d7 101333->101334 101335 4c6b040 LdrLoadDll 101334->101335 101336 4c6b313 101335->101336 101336->101259 101338 4c6d327 101337->101338 101345 4c6f710 101338->101345 101342 4c6d39b 101343 4c6908b 101342->101343 101356 4c7a270 LdrLoadDll 101342->101356 101343->101284 101346 4c6f735 101345->101346 101357 4c681a0 101346->101357 101348 4c6d36f 101353 4c7a6b0 101348->101353 101349 4c74a50 8 API calls 101351 4c6f759 101349->101351 101351->101348 101351->101349 101352 4c7bd90 2 API calls 101351->101352 101364 4c6f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 101351->101364 101352->101351 101354 4c7a6cf CreateProcessInternalW 101353->101354 101355 4c7af30 LdrLoadDll 101353->101355 101354->101342 101355->101354 101356->101343 101358 4c6829f 101357->101358 101359 4c681b5 101357->101359 101358->101351 101359->101358 101360 4c74a50 8 API calls 101359->101360 101361 4c68222 101360->101361 101362 4c7bd90 2 API calls 101361->101362 101363 4c68249 101361->101363 101362->101363 101363->101351 101364->101351 101366 4c6f6ef 101365->101366 101367 4c74e50 LdrLoadDll 101365->101367 101368 4c6f6f6 SetErrorMode 101366->101368 101369 4c6f6fd 101366->101369 101367->101366 101368->101369 101369->101297 101384 4c6f4a0 101370->101384 101372 4c743c6 101372->101299 101374 4c68ab6 101373->101374 101375 4c7bd10 2 API calls 101374->101375 101377 4c68ad5 101375->101377 101376 4c68cea 101376->101302 101377->101376 101403 4c79850 101377->101403 101380 4c6f683 101379->101380 101451 4c79e60 101380->101451 101383->101308 101385 4c6f4bd 101384->101385 101391 4c79f90 101385->101391 101388 4c6f505 101388->101372 101392 4c79fac 101391->101392 101393 4c7af30 LdrLoadDll 101391->101393 101401 5792f30 LdrInitializeThunk 101392->101401 101393->101392 101394 4c6f4fe 101394->101388 101396 4c79fe0 101394->101396 101397 4c79ffc 101396->101397 101398 4c7af30 LdrLoadDll 101396->101398 101402 5792d10 LdrInitializeThunk 101397->101402 101398->101397 101399 4c6f52e 101399->101372 101401->101394 101402->101399 101404 4c7bf60 2 API calls 101403->101404 101405 4c79867 101404->101405 101424 4c69310 101405->101424 101407 4c79882 101408 4c798c0 101407->101408 101409 4c798a9 101407->101409 101411 4c7bd10 2 API calls 101408->101411 101410 4c7bd90 2 API calls 101409->101410 101412 4c798b6 101410->101412 101413 4c798fa 101411->101413 101412->101376 101414 4c7bd10 2 API calls 101413->101414 101416 4c79913 101414->101416 101421 4c79bb4 101416->101421 101430 4c7bd50 LdrLoadDll 101416->101430 101417 4c79b99 101418 4c79ba0 101417->101418 101417->101421 101419 4c7bd90 2 API calls 101418->101419 101420 4c79baa 101419->101420 101420->101376 101422 4c7bd90 2 API calls 101421->101422 101423 4c79c09 101422->101423 101423->101376 101425 4c69335 101424->101425 101426 4c6acf0 LdrLoadDll 101425->101426 101427 4c69368 101426->101427 101429 4c6938d 101427->101429 101431 4c6cf20 101427->101431 101429->101407 101430->101417 101432 4c6cf4c 101431->101432 101433 4c7a1b0 LdrLoadDll 101432->101433 101434 4c6cf65 101433->101434 101435 4c6cf6c 101434->101435 101442 4c7a1f0 101434->101442 101435->101429 101439 4c6cfa7 101440 4c7a460 2 API calls 101439->101440 101441 4c6cfca 101440->101441 101441->101429 101443 4c7a20c 101442->101443 101444 4c7af30 LdrLoadDll 101442->101444 101450 5792ca0 LdrInitializeThunk 101443->101450 101444->101443 101445 4c6cf8f 101445->101435 101447 4c7a7e0 101445->101447 101448 4c7a7ff 101447->101448 101449 4c7af30 LdrLoadDll 101447->101449 101448->101439 101449->101448 101450->101445 101452 4c7af30 LdrLoadDll 101451->101452 101453 4c79e7c 101452->101453 101456 5792dd0 LdrInitializeThunk 101453->101456 101454 4c6f6ae 101454->101308 101456->101454

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 0550A036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtQueryInformationProcess.NTDLL ref: 0550A19F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4608802003.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5500000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InformationProcessQuery
                                                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                                                      • API String ID: 1778838933-4108050209
                                                                                                                                                                                                                      • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                                                                      • Instruction ID: 9451641e7741183a32fbdb941f45d21fa9d31cc25642d62f8365f1834852da0f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F3F12171618A8D8FDBA5EF68C898AEEB7F0FF98304F40562AD44AD7250DF349542CB41
                                                                                                                                                                                                                      Function 05509BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 207 5509baf-5509bef 208 5509bf7-5509bfe 207->208 209 5509bf2 call 5509102 207->209 210 5509c00 208->210 211 5509c0c-5509c9a call 550b942 * 2 NtCreateSection 208->211 209->208 212 5509c02-5509c0a 210->212 217 5509ca0-5509d0a call 550b942 NtMapViewOfSection 211->217 218 5509d5a-5509d68 211->218 212->211 212->212 221 5509d52 217->221 222 5509d0c-5509d4c 217->222 221->218 224 5509d69-5509d6b 222->224 225 5509d4e-5509d4f 222->225 226 5509d88-5509ddc call 550cd62 NtClose 224->226 227 5509d6d-5509d72 224->227 225->221 229 5509d74-5509d86 call 5509172 227->229 229->226
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4608802003.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5500000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Section$CloseCreateView
                                                                                                                                                                                                                      • String ID: @$@
                                                                                                                                                                                                                      • API String ID: 1133238012-149943524
                                                                                                                                                                                                                      • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                                                                      • Instruction ID: 29b8af61bcdac833f2bec4e34ecce24e4d22d6209870b51b7395059c7a6e6756
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5461847061CB498FCB58DF58D8856AABBE0FF98314F50062EE58AC3691DF35D442CB86
                                                                                                                                                                                                                      Function 05509BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 267 5509bb2-5509bfe call 5509102 270 5509c00 267->270 271 5509c0c-5509c9a call 550b942 * 2 NtCreateSection 267->271 272 5509c02-5509c0a 270->272 277 5509ca0-5509d0a call 550b942 NtMapViewOfSection 271->277 278 5509d5a-5509d68 271->278 272->271 272->272 281 5509d52 277->281 282 5509d0c-5509d4c 277->282 281->278 284 5509d69-5509d6b 282->284 285 5509d4e-5509d4f 282->285 286 5509d88-5509ddc call 550cd62 NtClose 284->286 287 5509d6d-5509d72 284->287 285->281 289 5509d74-5509d86 call 5509172 287->289 289->286
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4608802003.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5500000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Section$CreateView
                                                                                                                                                                                                                      • String ID: @$@
                                                                                                                                                                                                                      • API String ID: 1585966358-149943524
                                                                                                                                                                                                                      • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                                                                      • Instruction ID: a276d3d101d4652963981a2d9111bae7c315f40d2291d62999875d3612f00554
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F5170706187098FC758DF18D895AAABBE0FB88314F50062EF98AC3691DF35D441CB86
                                                                                                                                                                                                                      Function 0550A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtQueryInformationProcess.NTDLL ref: 0550A19F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4608802003.0000000005500000.00000040.00000800.00020000.00000000.sdmp, Offset: 05500000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5500000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InformationProcessQuery
                                                                                                                                                                                                                      • String ID: 0
                                                                                                                                                                                                                      • API String ID: 1778838933-4108050209
                                                                                                                                                                                                                      • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                                                                      • Instruction ID: cb6d18d980e69253bc264b7a476b93106d898c9633bf8b51c90f3379eaa7f04a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7512E70918A8C8FDB69EF68C8946EEB7F4FB98315F40462ED84AD7250DF309645CB41
                                                                                                                                                                                                                      Function 04C7A330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 557 4c7a330-4c7a381 call 4c7af30 NtCreateFile
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,04C74BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,04C74BB7,007A002E,00000000,00000060,00000000,00000000), ref: 04C7A37D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 823142352-1441809116
                                                                                                                                                                                                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                                                      • Instruction ID: 4ad3ec24916ea7869c3c15d3ecb9cbbd08a8e28d9e93bf6d96ef73793a893a2b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 63F0BDB2211208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630F8118BA4
                                                                                                                                                                                                                      Function 04C7A3DB Relevance: 1.6, APIs: 1, Instructions: 55filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtReadFile.NTDLL(04C74D72,5EB65239,FFFFFFFF,04C74A31,?,?,04C74D72,?,04C74A31,FFFFFFFF,5EB65239,04C74D72,?,00000000), ref: 04C7A425
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                                                                      • Opcode ID: 5fce98419675b8150b1b35dccbc3d588d7963adaf1ac3962f032f5eb02082af7
                                                                                                                                                                                                                      • Instruction ID: 8d66b3cb5f62c9cf9d2cdceb6e24e54ae5f0d11d4da908f873dd60a659e6c1c5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5fce98419675b8150b1b35dccbc3d588d7963adaf1ac3962f032f5eb02082af7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 430125B2210204ABDB14DF98CC84EEB77A9EF8C354F058649FA1DAB251C631E9118BA0
                                                                                                                                                                                                                      Function 04C7A3E0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtReadFile.NTDLL(04C74D72,5EB65239,FFFFFFFF,04C74A31,?,?,04C74D72,?,04C74A31,FFFFFFFF,5EB65239,04C74D72,?,00000000), ref: 04C7A425
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                                                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                                                      • Instruction ID: 552f3a82919ffcb18cab282100555e1fe5439531f0e2e5ef406b26e325e92c71
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 07F0A4B2210208ABDB14DF89DC80EEB77ADAF8C754F158249BA1D97241D630E8118BA0
                                                                                                                                                                                                                      Function 04C7A50F Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,04C62D11,00002000,00003000,00000004), ref: 04C7A549
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2167126740-0
                                                                                                                                                                                                                      • Opcode ID: 5e53e5ce2ea3479e475aa3b7b5c40d77a45fece3a3a99e57839a720f9b609ce9
                                                                                                                                                                                                                      • Instruction ID: 09b00857f825f3f5254224198e13aa4c2e8c50d69bfbc77e657e14a3fb9a1456
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5e53e5ce2ea3479e475aa3b7b5c40d77a45fece3a3a99e57839a720f9b609ce9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ADF01CB5210108AFDB14DF99CC80EEB77A9AF88254F15824DFE0997241C631E811CBA0
                                                                                                                                                                                                                      Function 04C7A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,04C62D11,00002000,00003000,00000004), ref: 04C7A549
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2167126740-0
                                                                                                                                                                                                                      • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                                                                      • Instruction ID: 367edaa46bb7a4b930a3d0e67161528337ec971651e5c65dd2f52a4b5ca5c7b9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 05F015B2210208ABDB14DF89CC80EAB77ADAF88654F118149BE0897241C630F811CBA0
                                                                                                                                                                                                                      Function 04C7A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtClose.NTDLL(04C74D50,?,?,04C74D50,00000000,FFFFFFFF), ref: 04C7A485
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                                                                                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                                                      • Instruction ID: b0d3ba015eb87aa28925cb856981d03dd7055a8d5a7cb27b6ee28d1a3385703d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 92D01776210214ABE710EB98CC85EAB7BADEF48664F154499BA189B242C530FA0086E0
                                                                                                                                                                                                                      Function 05792D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 20d4fd7b18569ef4d798ce7f6ed3f58851fccab2bcff25e539b5d0e4c8e5adc3
                                                                                                                                                                                                                      • Instruction ID: b20858ad5352f3864a91776b31a10c80ee1f56098cff2430995c2cd7fb314691
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 20d4fd7b18569ef4d798ce7f6ed3f58851fccab2bcff25e539b5d0e4c8e5adc3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3890026B71340002D1807198544860A001587E1202FD5D525A0015568CC91589696322
                                                                                                                                                                                                                      Function 05792DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 639e7d6738d5b5b7f5136382fc5ee73bd99174146bc3737114ed128a873e86cd
                                                                                                                                                                                                                      • Instruction ID: 847946974a6f18eca8980b23696602cf4bc2b2c9fbabd5792165cc4590f4d3e8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 639e7d6738d5b5b7f5136382fc5ee73bd99174146bc3737114ed128a873e86cd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B090027370140413D11171984544707001987E0241FD5C522A0424568D96568A52B122
                                                                                                                                                                                                                      Function 05792DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 1cbf2d2905c25fc158740543965af2f273f0817084cf2fc9144b47ebd652989b
                                                                                                                                                                                                                      • Instruction ID: 67da3655629d951c53dd67e639b8337b3af8894d947a8594032615cbfb351899
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1cbf2d2905c25fc158740543965af2f273f0817084cf2fc9144b47ebd652989b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF900263742441525545B1984444507401697F02417D5C122A1414960C85269956E622
                                                                                                                                                                                                                      Function 05792C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 83f8b90ae587affb2a80ac12add9c7cba1449a1c3c39b2f9f6ed5a8d48e363c9
                                                                                                                                                                                                                      • Instruction ID: 6bc42798bdb018a09be57147f38285cb9f557d27019a610d03a0836038081723
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 83f8b90ae587affb2a80ac12add9c7cba1449a1c3c39b2f9f6ed5a8d48e363c9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4090027370148802D1107198844474A001587E0301F99C521A4424668D869589917122
                                                                                                                                                                                                                      Function 05792C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 2e78204098ac9206736161e7d211a4fbf916e8c4f888d4536c8ffa29e88ccf22
                                                                                                                                                                                                                      • Instruction ID: 34713e6df8042727153e151c2ed1bcb2b8a0d753e807c528573446072fffb2b7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2e78204098ac9206736161e7d211a4fbf916e8c4f888d4536c8ffa29e88ccf22
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B690027370140842D10071984444B46001587F0301F95C126A0124664D8615C9517522
                                                                                                                                                                                                                      Function 05792CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: efd0824ee277bcc87b2a4de684df5bdf501e029f9d476f954959c94499f21253
                                                                                                                                                                                                                      • Instruction ID: 832471f59b1f49b73a185eb0efbcb928745657fbe8aa8cfd8eb2f48ea8a5fb6d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: efd0824ee277bcc87b2a4de684df5bdf501e029f9d476f954959c94499f21253
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA90027370140402D10075D85448646001587F0301F95D121A5024565EC66589917132
                                                                                                                                                                                                                      Function 05792F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 27f03ced0ad49471de45fa50e22e602c84d6f67d91e4791dcdc4df2963133e2f
                                                                                                                                                                                                                      • Instruction ID: d6c0722abd287a55857b5cd63ff6065664087e96589c5e96b6e9f35514300a55
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 27f03ced0ad49471de45fa50e22e602c84d6f67d91e4791dcdc4df2963133e2f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 209002A374140442D10071984454B060015C7F1301F95C125E1064564D8619CD527127
                                                                                                                                                                                                                      Function 05792FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: e30d96b84f2945c0979e6cb42e73d0c250e7bfa9e1fd2c0991f5bd9381b9152c
                                                                                                                                                                                                                      • Instruction ID: c6d5c6cd2de5fb261435e58794fd3d0f630dbb49de860dfac23950e7d0a895a7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e30d96b84f2945c0979e6cb42e73d0c250e7bfa9e1fd2c0991f5bd9381b9152c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32900263711C0042D20075A84C54B07001587E0303F95C225A0154564CC91589616522
                                                                                                                                                                                                                      Function 05792EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: c5edda1eeedb4fec9e9d24ec675eef8b4a51a2f87a8fc05a681480e396f34f4e
                                                                                                                                                                                                                      • Instruction ID: 416eb764734c8bb6ba4d5446615c7ce1c553c64bcb9c46a674858012541c45a1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5edda1eeedb4fec9e9d24ec675eef8b4a51a2f87a8fc05a681480e396f34f4e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A39002B370140402D14071984444746001587E0301F95C121A5064564E86598ED57666
                                                                                                                                                                                                                      Function 05792B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: a5eb20ef3605d70ed0a805aec4d6764bb46d814c2d480bfab8ac72997eb0d342
                                                                                                                                                                                                                      • Instruction ID: 873ae8d313b442927b196a150bcac7ec6540e01f6ff9526277b92ebdd5168d96
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a5eb20ef3605d70ed0a805aec4d6764bb46d814c2d480bfab8ac72997eb0d342
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 019002A370240003410571984454616401A87F0201B95C131E10145A0DC52589917126
                                                                                                                                                                                                                      Function 05792BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: f467e983438852cfb40e561c19ee6c6e71eebade93a9368d0a73032fa62bda46
                                                                                                                                                                                                                      • Instruction ID: 660a09afdacbdf048bbf01081b74c9612eaa797f6acaf85d183b361117135f4f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f467e983438852cfb40e561c19ee6c6e71eebade93a9368d0a73032fa62bda46
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2590027370140802D1807198444464A001587E1301FD5C125A0025664DCA158B5977A2
                                                                                                                                                                                                                      Function 05792BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 2068fba131f42783b39572134d5163b7a28f4a6a406e67575607cd391f97ff26
                                                                                                                                                                                                                      • Instruction ID: 4c5244f2c5e5a4ddfa710b2c3e7b607414e3d4397eca46b6a0ce5324528251bc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2068fba131f42783b39572134d5163b7a28f4a6a406e67575607cd391f97ff26
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD90027370544842D14071984444A46002587E0305F95C121A00646A4D96258E55B662
                                                                                                                                                                                                                      Function 05792AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 95e7237fb802af0e192867eaa90933fbfa2980e93776e9048df672bee33a2275
                                                                                                                                                                                                                      • Instruction ID: e7a06945aaecdc6227c5582d9d04988a7a0fa113d8c209dcf464c327ceae73c4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 95e7237fb802af0e192867eaa90933fbfa2980e93776e9048df672bee33a2275
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 16900267711400030105B5980744507005687E5351395C131F1015560CD62189616122
                                                                                                                                                                                                                      Function 057935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: 234d085a5d73a69eb0b6fab927610fa686cee74807d8474f860c6cdf5c319070
                                                                                                                                                                                                                      • Instruction ID: 84ee325050e0330ff1cbe6a368f5ffe5d9ca25d329d6d33304eca6f914f9b1e0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 234d085a5d73a69eb0b6fab927610fa686cee74807d8474f860c6cdf5c319070
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A7900273B0550402D10071984554706101587E0201FA5C521A0424578D87958A5175A3
                                                                                                                                                                                                                      Function 04C79050 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 399 4c79050-4c79092 call 4c7bd10 402 4c7916c-4c79172 399->402 403 4c79098-4c790e8 call 4c7bde0 call 4c6acf0 call 4c74e50 399->403 410 4c790f0-4c79101 Sleep 403->410 411 4c79166-4c7916a 410->411 412 4c79103-4c79109 410->412 411->402 411->410 413 4c79133-4c79153 412->413 414 4c7910b-4c79131 call 4c78c70 412->414 415 4c79159-4c7915c 413->415 416 4c79154 call 4c78e80 413->416 414->415 415->411 416->415
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Sleep.KERNELBASE(000007D0), ref: 04C790F8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Sleep
                                                                                                                                                                                                                      • String ID: net.dll$wininet.dll
                                                                                                                                                                                                                      • API String ID: 3472027048-1269752229
                                                                                                                                                                                                                      • Opcode ID: 86177b1e851e545efa3c4424ab4461e2c67e0f2fc85896a96eae60caf761b377
                                                                                                                                                                                                                      • Instruction ID: d8458b587729e61e73c2c23a07f225530dc9f16f97626a2ba9354f0cbf747a9b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 86177b1e851e545efa3c4424ab4461e2c67e0f2fc85896a96eae60caf761b377
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EC3190B6500744BBD724DF64C885F67B7B9BB48B04F10811DFA2A6B245DA30B660CBA8
                                                                                                                                                                                                                      Function 04C79047 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 419 4c79047-4c79092 call 4c7bd10 423 4c7916c-4c79172 419->423 424 4c79098-4c790e8 call 4c7bde0 call 4c6acf0 call 4c74e50 419->424 431 4c790f0-4c79101 Sleep 424->431 432 4c79166-4c7916a 431->432 433 4c79103-4c79109 431->433 432->423 432->431 434 4c79133-4c79153 433->434 435 4c7910b-4c79131 call 4c78c70 433->435 436 4c79159-4c7915c 434->436 437 4c79154 call 4c78e80 434->437 435->436 436->432 437->436
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • Sleep.KERNELBASE(000007D0), ref: 04C790F8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Sleep
                                                                                                                                                                                                                      • String ID: net.dll$wininet.dll
                                                                                                                                                                                                                      • API String ID: 3472027048-1269752229
                                                                                                                                                                                                                      • Opcode ID: 986ae1026c0fce7a58b2028a1f2a9bf29e29043af26d9de9b3da525d485059a7
                                                                                                                                                                                                                      • Instruction ID: 22b9dafabeec793778bafd760f3dcc4917a8b85b52f9219341d1fe2f4d0bf529
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 986ae1026c0fce7a58b2028a1f2a9bf29e29043af26d9de9b3da525d485059a7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3131C1B6A00604ABD714DF68CCC5F67B7B9FB48B04F10811DE62A6B245DA70B660CBA4
                                                                                                                                                                                                                      Function 04C7A5C6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,04C63AF8), ref: 04C7A66D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 3298025750-1441809116
                                                                                                                                                                                                                      • Opcode ID: c710aa6f81abb34eb9557e97aefccbcadc3a04194c4c20b32b0a075ced58ceab
                                                                                                                                                                                                                      • Instruction ID: 7d985de56b54a76452ae74a92ae2894a704518695fe5026b7c159f6c443bf63b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c710aa6f81abb34eb9557e97aefccbcadc3a04194c4c20b32b0a075ced58ceab
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4311ACB92143046FDB14EFA8DC80CEB77A9EF84318B408949F85987302D231FA11CBB0
                                                                                                                                                                                                                      Function 04C7A640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 560 4c7a640-4c7a656 561 4c7a65c-4c7a671 RtlFreeHeap 560->561 562 4c7a657 call 4c7af30 560->562 562->561
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,04C63AF8), ref: 04C7A66D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHeap
                                                                                                                                                                                                                      • String ID: .z`
                                                                                                                                                                                                                      • API String ID: 3298025750-1441809116
                                                                                                                                                                                                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                                                      • Instruction ID: 556b3a9e1d690b0b2f0f09ff0e7f00dec1b366507536b01799c70963dbb12a4b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15E046B1210208ABDB18EF99CC48EAB77ADEF88754F018559FE085B241C631F910CAF0
                                                                                                                                                                                                                      Function 04C68310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 563 4c68310-4c6833d call 4c7be30 call 4c7c9d0 568 4c68343-4c6835a call 4c74e50 563->568 569 4c6833e call 4c6acf0 563->569 572 4c6838e-4c68392 568->572 573 4c6835c-4c6836e PostThreadMessageW 568->573 569->568 574 4c68370-4c6838b call 4c6a480 PostThreadMessageW 573->574 575 4c6838d 573->575 574->575 575->572
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 04C6836A
                                                                                                                                                                                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 04C6838B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1836367815-0
                                                                                                                                                                                                                      • Opcode ID: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
                                                                                                                                                                                                                      • Instruction ID: 5498eb998ffe3a18f60990ce5efa8f85f00fb1a5ba544d196e0ad85b6ef3b0e0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF01F231A8122877F720AA949C42FBE772D5F40F54F044119FF04BA1C1E6A4BA0642F6
                                                                                                                                                                                                                      Function 04C682D3 Relevance: 3.1, APIs: 2, Instructions: 52threadwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 04C6836A
                                                                                                                                                                                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 04C6838B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1836367815-0
                                                                                                                                                                                                                      • Opcode ID: 11fb7617b85aa47b16f5f024dcd02188c636c34022a2a31c27493a18eb9d4f5a
                                                                                                                                                                                                                      • Instruction ID: 5dfeb0172981872fc1019472c8a306d62530bdd08ef1cbd6f48161b28eed1698
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 11fb7617b85aa47b16f5f024dcd02188c636c34022a2a31c27493a18eb9d4f5a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B0014932A4122933F62176682C82FF9731D5B01A68F044165FE05EA1C0E981F90152F5
                                                                                                                                                                                                                      Function 04C6ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 04C6AD62
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Load
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                                                                                                      • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                      • Instruction ID: c9c02407b4b28b0764a4eb7652781ff44829e2e1217f2434dea90b1c1db4a540
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 30011EB5D4020DBBEB10EBA4DC81F9DB7B99F45308F0085A5AA09A7240F671FB14DB91
                                                                                                                                                                                                                      Function 04C7A6AD Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 04C7A704
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateInternalProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2186235152-0
                                                                                                                                                                                                                      • Opcode ID: 7b49a99931ad2f049d45eef54a0a5772e9f4f0e6ed0a9cfa590843b57ff0d4b8
                                                                                                                                                                                                                      • Instruction ID: 7cb036dd364e2fd5c9f121d6e84e10080717b3b04c7fe7691fce2310567794dc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7b49a99931ad2f049d45eef54a0a5772e9f4f0e6ed0a9cfa590843b57ff0d4b8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A101AFB2215108ABCB54DF89DC80EEB37ADAF8C754F158258FE0D97241C630E851CBA0
                                                                                                                                                                                                                      Function 04C7A6B0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 04C7A704
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateInternalProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2186235152-0
                                                                                                                                                                                                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                                                      • Instruction ID: 64f4606767d3f67ba631e978bb4b318db2cab3498840666617a24d4154ea1133
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3101AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4
                                                                                                                                                                                                                      Function 04C79180 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,04C6F050,?,?,00000000), ref: 04C791BC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                                                                      • Opcode ID: c93d5144655a98af27dd9d7755c423c6bc5848ccb9f33eb30c3b4f92d4cc5cda
                                                                                                                                                                                                                      • Instruction ID: 70d29552d2c9b6d13791ea94b68a13071248c520b9fe97c292fbcf98815472be
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c93d5144655a98af27dd9d7755c423c6bc5848ccb9f33eb30c3b4f92d4cc5cda
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9AE092773903043BE3306599AC02FA7B39DCB81B74F14002AFB0DEB2C0E595F40142A8
                                                                                                                                                                                                                      Function 04C7A632 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(04C74536,?,04C74CAF,04C74CAF,?,04C74536,?,?,?,?,?,00000000,00000000,?), ref: 04C7A62D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                                      • Opcode ID: 32e21e6d0a82522bed167e9b5e4d2873307510b5087c1c47a31221bf81a3f655
                                                                                                                                                                                                                      • Instruction ID: 4e93cdda5578a98ab0a3aac11c62aa0d9dec14d8b09e91538109d68659cb7a67
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 32e21e6d0a82522bed167e9b5e4d2873307510b5087c1c47a31221bf81a3f655
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CEE0267610A1882BE718A7E13D814FB7F0DC8C01247184AEAFA8C9D406C426A01143A1
                                                                                                                                                                                                                      Function 04C7A600 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(04C74536,?,04C74CAF,04C74CAF,?,04C74536,?,?,?,?,?,00000000,00000000,?), ref: 04C7A62D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                                                      • Instruction ID: b0c576a88c7df94632979a05ef9a2aac20078bf4d24ce3385b26161fb67f4e0a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 91E046B1210208ABDB14EF99CC40EAB77ADEF88654F118559FE085B241C631F911CBF0
                                                                                                                                                                                                                      Function 04C7A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,04C6F1D2,04C6F1D2,?,00000000,?,?), ref: 04C7A7D0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3899507212-0
                                                                                                                                                                                                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                                                      • Instruction ID: 7dbff230171d2619af3588099c3c60f845b5df96e48a315fc5cef7adefaac545
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B4E04FB12102086BDB10DF49CC84EEB37ADEF88654F018155FE0C57241C931F8118BF5
                                                                                                                                                                                                                      Function 04C6F6C7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetErrorMode.KERNELBASE(00008003,?,04C68D14,?), ref: 04C6F6FB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorMode
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2340568224-0
                                                                                                                                                                                                                      • Opcode ID: 3890f07af39cb5171fb6a0a51aa0889719c1b467f86a24dbe60132c4c3443d6c
                                                                                                                                                                                                                      • Instruction ID: 0f8c9d07e55546f038d616efb4fae35b74b83346b5cfc10208a0581b29ef96bf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3890f07af39cb5171fb6a0a51aa0889719c1b467f86a24dbe60132c4c3443d6c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D9E0C2716403096FE720EAB4AC06F5AB2965B52724F0D01A8F59AAA2C3EA54E201C624
                                                                                                                                                                                                                      Function 04C6F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetErrorMode.KERNELBASE(00008003,?,04C68D14,?), ref: 04C6F6FB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_4c60000_chkdsk.jbxd
                                                                                                                                                                                                                      Yara matches
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorMode
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2340568224-0
                                                                                                                                                                                                                      • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                                                                      • Instruction ID: 5c288a145dbf96562ef49cadc31dcab3ab5fecd5d90ff3a52c4758737d01709b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BAD0A7717503083BF710FAA49C03F2672CE5B44B14F494064F949D73C3ED50F1004165
                                                                                                                                                                                                                      Function 05792C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                                                                      • Opcode ID: f308fdf7059b8872adf9fd9b38734d6af5d4b3a6e0f5a32d0e52dcb0b3a91307
                                                                                                                                                                                                                      • Instruction ID: c382d18a0ffee97b4ff4e19fa62e83c514e0b418aac69083a1705d9fa96cb5e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f308fdf7059b8872adf9fd9b38734d6af5d4b3a6e0f5a32d0e52dcb0b3a91307
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12B04C72A015C595DA15E7605608A16791167D1701F55C161D2020651F47289191F1B6

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 05792890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                                                                                                      • Opcode ID: e4d8bf31d85eda194685679eab9240cb95852c64434b538139f9cec854421529
                                                                                                                                                                                                                      • Instruction ID: ce7ffcf2293afda82a5ae280ebc87db36a3057ec6ca47f3d495b89bb3ad8cfa1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e4d8bf31d85eda194685679eab9240cb95852c64434b538139f9cec854421529
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1A51F9B6A04116BFCF14EB98988497EFBB9BB48301750C66DE495D7642D334DE40A7F0
                                                                                                                                                                                                                      Function 05802410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                                                                                                      • Opcode ID: decc3a603d44dd0928fd5f8f3e87b8300c9b68de2fc7d35df5e07b07cb4fe7c4
                                                                                                                                                                                                                      • Instruction ID: 94788f713c6d4042aa2b0566eaf399dadbb2213b19f17b26d8566ca7381c8542
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: decc3a603d44dd0928fd5f8f3e87b8300c9b68de2fc7d35df5e07b07cb4fe7c4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 17510779A00645AECBB0DE5CCC9887FB7FAEF44204B04885AE897D7681D6B4DE409760
                                                                                                                                                                                                                      Function 05787630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 057C4725
                                                                                                                                                                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 057C4655
                                                                                                                                                                                                                      • Execute=1, xrefs: 057C4713
                                                                                                                                                                                                                      • ExecuteOptions, xrefs: 057C46A0
                                                                                                                                                                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 057C4787
                                                                                                                                                                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 057C46FC
                                                                                                                                                                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 057C4742
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                                                                      • API String ID: 0-484625025
                                                                                                                                                                                                                      • Opcode ID: f376f9df7a45009e3aed851b43ceeb7e2bd9693be48059cbaf6982274ff3a949
                                                                                                                                                                                                                      • Instruction ID: 5560499fbc2a13531fa9b9995da5cff367e08034557a3e3ebd377e0c1961501a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f376f9df7a45009e3aed851b43ceeb7e2bd9693be48059cbaf6982274ff3a949
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AB511635780219BADF14EEA49C9DFBD77A9FF04310F1400E9E506A7181EB72AA45EF60
                                                                                                                                                                                                                      Function 0579B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                                                                                                      • String ID: +$-$0$0
                                                                                                                                                                                                                      • API String ID: 1302938615-699404926
                                                                                                                                                                                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                      • Instruction ID: 0892983bd6a550236ab86d8797c1798a4a7fe82933dd3f9f15e5a28d9d8b1592
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D819274E0D2499EDF2CCE68F891BFEBBB2BF45310F18425AD899A7291C6349440A771
                                                                                                                                                                                                                      Function 058020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: %%%u$[$]:%u
                                                                                                                                                                                                                      • API String ID: 48624451-2819853543
                                                                                                                                                                                                                      • Opcode ID: f16c7ebe1862e84fecd12a454f0588d39f8f052af2c2562d943252394b49d9e1
                                                                                                                                                                                                                      • Instruction ID: 980772a789c74430535962b1d5d95b38595e7d352ad1c7588b12f002e78d98c9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f16c7ebe1862e84fecd12a454f0588d39f8f052af2c2562d943252394b49d9e1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0921517AA00119ABDB50EF79DC48AFEBBF9BF44644F040116ED56E3240EB70E9019BA1
                                                                                                                                                                                                                      Function 0577F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 057C02E7
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 057C031E
                                                                                                                                                                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 057C02BD
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                                                                      • API String ID: 0-2474120054
                                                                                                                                                                                                                      • Opcode ID: de4f9a3c7afdf4bd5109308c13b29f44da748ce398e13db6f59bd5430e82f274
                                                                                                                                                                                                                      • Instruction ID: 86d67992b33d851c98ba5ca4f6d04ccfcb3d69d52ad614d688faf347634919b6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: de4f9a3c7afdf4bd5109308c13b29f44da748ce398e13db6f59bd5430e82f274
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 08E1BE30608745DFDB24CF28D988B2ABBE1BB84314F140A5DF5968B2D1D774E944EB92
                                                                                                                                                                                                                      Function 0578BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Resource at %p, xrefs: 057C7B8E
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 057C7BAC
                                                                                                                                                                                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 057C7B7F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                      • API String ID: 0-871070163
                                                                                                                                                                                                                      • Opcode ID: ab71172535fb920401ec42510fbe15ddc973b914cdf031aafd59f6c954272a1b
                                                                                                                                                                                                                      • Instruction ID: b9491b599507b35fdfe7bd6625724bb6623c6abc6f427ac8f47a04b61b1a3d6e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab71172535fb920401ec42510fbe15ddc973b914cdf031aafd59f6c954272a1b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE41DE753457029FCB24EE25C845F7AB7E6FB88720F000A1DF85A9B681DB31E805AB91
                                                                                                                                                                                                                      Function 0578B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 057C728C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • RTL: Resource at %p, xrefs: 057C72A3
                                                                                                                                                                                                                      • RTL: Re-Waiting, xrefs: 057C72C1
                                                                                                                                                                                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 057C7294
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                                                                      • API String ID: 885266447-605551621
                                                                                                                                                                                                                      • Opcode ID: 5ccaf2e45c3f8516d576bf35d7bdff736e06893e12f4fc0a4046ba32d4b20f0f
                                                                                                                                                                                                                      • Instruction ID: 391e7c21f1a1042269b82eee78b304e848efa689135a4b4d19a78b956d345972
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5ccaf2e45c3f8516d576bf35d7bdff736e06893e12f4fc0a4046ba32d4b20f0f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0641D031744606ABC724DE25CC46F6ABBB5FB84720F14061DF95A9B340DB30F806ABD1
                                                                                                                                                                                                                      Function 05802300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                                                                                                      • String ID: %%%u$]:%u
                                                                                                                                                                                                                      • API String ID: 48624451-3050659472
                                                                                                                                                                                                                      • Opcode ID: db5d477aef6cf8acb2f7129315c8b9d2d79f96e55888a34c537a71250e30bee4
                                                                                                                                                                                                                      • Instruction ID: 560d9b4a0c42adb5d072bfac13053ea9300d26ac4e26a7c0ccdfeb3578520f6a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: db5d477aef6cf8acb2f7129315c8b9d2d79f96e55888a34c537a71250e30bee4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF3157766002199FCB60DF29DC48BEEB7F8FB44610F455555EC4AD3140EB709E459FA0
                                                                                                                                                                                                                      Function 05797D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                                                                                                      • String ID: +$-
                                                                                                                                                                                                                      • API String ID: 1302938615-2137968064
                                                                                                                                                                                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                      • Instruction ID: f9c6979a712a9a5b68cf569069a1d3387d21fe87bfc4ff98030309484f3418b0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EF91D4B0E142159BDF2CCE69E881ABEB7B6FF46720F54451AE855F72C0E7308942A731
                                                                                                                                                                                                                      Function 05759126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: $$@
                                                                                                                                                                                                                      • API String ID: 0-1194432280
                                                                                                                                                                                                                      • Opcode ID: 0ddba73e778063c029d34d7d56659cfaa07203d184669f40190209efaedbd67b
                                                                                                                                                                                                                      • Instruction ID: 78cc8bddb6fafa9ba86e3e8912673a4aa12acd3164817b8b2df12c3e73b6d74f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ddba73e778063c029d34d7d56659cfaa07203d184669f40190209efaedbd67b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B8139B5D11269DBDB21CF54CC49BEAB6B4AF48750F0041EAEA19B7640E7709E80DFA0
                                                                                                                                                                                                                      Function 057DCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 057DCFBD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, Offset: 05720000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.0000000005849000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.000000000584D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_5720000_chkdsk.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CallFilterFunc@8
                                                                                                                                                                                                                      • String ID: @$@4Cw@4Cw
                                                                                                                                                                                                                      • API String ID: 4062629308-3101775584
                                                                                                                                                                                                                      • Opcode ID: 68983d559a0af96817fbd13b3691a0f27fd7d8146457b62842d593910915f521
                                                                                                                                                                                                                      • Instruction ID: 485da83a773e8fd64f86c2118de2d59eceec72774366c5d349e2f0abcbee69a0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 68983d559a0af96817fbd13b3691a0f27fd7d8146457b62842d593910915f521
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C419F71A04218DFCB21DFA5C848AAEFBB8FF95710F10452AED15DB250DB34D841EB61