Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe

Overview

General Information

Sample name:TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
renamed because original name is a hash value
Original sample name:TEKLF TALEP VE FYAT TEKLF 05-27-2024_xlsx.scr.exe
Analysis ID:1448085
MD5:6df3f8880a8b99ea7417f9f06828299d
SHA1:36226a576ede9a2425e8f46c30de52233bd1cf54
SHA256:62601d311e6061480f42b44495215c0137dd6436e74f5744008687898b28350b
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe (PID: 5756 cmdline: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe" MD5: 6DF3F8880A8B99EA7417F9F06828299D)
    • powershell.exe (PID: 3880 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1944 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 3792 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 368 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • QXnCjDPniyIC.exe (PID: 4068 cmdline: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe MD5: 6DF3F8880A8B99EA7417F9F06828299D)
    • schtasks.exe (PID: 6704 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp9279.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 5280 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "royallog@fibraunollc.top", "Password": " 7213575aceACE@#$  "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.2228628971.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000009.00000002.2228628971.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000002.3307561590.0000000002A57000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000E.00000002.3307561590.0000000002A99000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.QXnCjDPniyIC.exe.45646a0.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              10.2.QXnCjDPniyIC.exe.45646a0.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                10.2.QXnCjDPniyIC.exe.45646a0.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31759:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31875:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31951:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a77:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 22 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, ParentProcessId: 5756, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", ProcessId: 3880, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, ParentProcessId: 5756, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", ProcessId: 3880, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp9279.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp9279.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe, ParentImage: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe, ParentProcessId: 4068, ParentProcessName: QXnCjDPniyIC.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp9279.tmp", ProcessId: 6704, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.174.175.187, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 368, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49706
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, ParentProcessId: 5756, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp", ProcessId: 3792, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, ParentProcessId: 5756, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", ProcessId: 3880, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, ParentProcessId: 5756, ParentProcessName: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp", ProcessId: 3792, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeAvira: detection malicious, Label: HEUR/AGEN.1350996
                    Found malware configuration
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "royallog@fibraunollc.top", "Password": " 7213575aceACE@#$ "}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeReversingLabs: Detection: 44%
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeVirustotal: Detection: 58%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeVirustotal: Detection: 58%Perma Link
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeReversingLabs: Detection: 44%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeJoe Sandbox ML: detected

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeUnpacked PE file: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9e0000.0.unpack
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 4x nop then jmp 099D9AB9h0_2_099D9215
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]10_2_05A4B648
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]10_2_05A49B7C
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 4x nop then jmp 09C08EB1h10_2_09C0860D
                    Source: global trafficTCP traffic: 192.168.2.6:49706 -> 185.174.175.187:587
                    Source: Joe Sandbox ViewIP Address: 185.174.175.187 185.174.175.187
                    Source: Joe Sandbox ViewASN Name: ITLDC-NLUA ITLDC-NLUA
                    Source: global trafficTCP traffic: 192.168.2.6:49706 -> 185.174.175.187:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: cp8nl.hyperhost.ua
                    Source: RegSvcs.exe, 00000009.00000002.2230819074.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cp8nl.hyperhost.ua
                    Source: RegSvcs.exe, 00000009.00000002.2230819074.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2235440286.0000000006540000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005E4C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: RegSvcs.exe, 00000009.00000002.2235440286.0000000006540000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005E4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, QXnCjDPniyIC.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, QXnCjDPniyIC.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: RegSvcs.exe, 00000009.00000002.2230819074.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2235440286.0000000006540000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005DF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: RegSvcs.exe, 00000009.00000002.2230819074.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2235440286.0000000006540000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005E4C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005E30000.00000004.00000020.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, QXnCjDPniyIC.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: RegSvcs.exe, 00000009.00000002.2230819074.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2235440286.0000000006540000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005DF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2149268107.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2149268107.000000000316D000.00000004.00000800.00020000.00000000.sdmp, QXnCjDPniyIC.exe, 0000000A.00000002.2248633440.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2150829898.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2228628971.0000000000402000.00000040.00000400.00020000.00000000.sdmp, QXnCjDPniyIC.exe, 0000000A.00000002.2254353479.0000000004564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: RegSvcs.exe, 00000009.00000002.2230819074.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2235440286.0000000006540000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005DF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, QXnCjDPniyIC.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, hxAF.cs.Net Code: gcE
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4b16900.7.raw.unpack, hxAF.cs.Net Code: gcE

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 10.2.QXnCjDPniyIC.exe.45646a0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4b16900.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.QXnCjDPniyIC.exe.459f0c0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.QXnCjDPniyIC.exe.45646a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.QXnCjDPniyIC.exe.459f0c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4b16900.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.2dc39f0.2.raw.unpack, .csLarge array initialization: : array initializer size 27103
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C413800_2_02C41380
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C434A00_2_02C434A0
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C425E80_2_02C425E8
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C41BF80_2_02C41BF8
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C408710_2_02C40871
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C442D00_2_02C442D0
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C442E00_2_02C442E0
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C413290_2_02C41329
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C456D10_2_02C456D1
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C456E00_2_02C456E0
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C416380_2_02C41638
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C454C10_2_02C454C1
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C454D00_2_02C454D0
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C434530_2_02C43453
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C434320_2_02C43432
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C45B400_2_02C45B40
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C459290_2_02C45929
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C459380_2_02C45938
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_099DB3180_2_099DB318
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_099D30680_2_099D3068
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_099D349A0_2_099D349A
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_099D4CA80_2_099D4CA8
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_099D2C180_2_099D2C18
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_099D2C300_2_099D2C30
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_099D56400_2_099D5640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01879BE29_2_01879BE2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01874A989_2_01874A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0187CDA89_2_0187CDA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01873E809_2_01873E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_018741C89_2_018741C8
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_0185138010_2_01851380
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_018525E810_2_018525E8
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_018534A010_2_018534A0
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_0185087810_2_01850878
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_01851BF810_2_01851BF8
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_018533BD10_2_018533BD
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_0185132910_2_01851329
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_0185337F10_2_0185337F
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_018542D010_2_018542D0
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_018542E010_2_018542E0
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_018554C810_2_018554C8
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_018554D010_2_018554D0
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_018556D110_2_018556D1
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_018556E010_2_018556E0
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_0185163810_2_01851638
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_0185592910_2_01855929
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_0185593810_2_01855938
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_01855B4010_2_01855B40
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_05A469CC10_2_05A469CC
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_05A489CA10_2_05A489CA
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_05A489D810_2_05A489D8
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_09C0A5D810_2_09C0A5D8
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_09C0319810_2_09C03198
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_09C035C210_2_09C035C2
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_09C04DD810_2_09C04DD8
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_09C02D4810_2_09C02D48
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_09C02D6010_2_09C02D60
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_09C0577010_2_09C05770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_029D937814_2_029D9378
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_029D4A9814_2_029D4A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_029D9BE814_2_029D9BE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_029D3E8014_2_029D3E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_029DCDA814_2_029DCDA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_029D41C814_2_029D41C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05D03F6014_2_05D03F60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05D056F014_2_05D056F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05D0004014_2_05D00040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05D08BA214_2_05D08BA2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05D02AF814_2_05D02AF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05D0DDF314_2_05D0DDF3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05D0BFD814_2_05D0BFD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05D0501014_2_05D05010
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05D0326814_2_05D03268
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_029D9BE214_2_029D9BE2
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeStatic PE information: invalid certificate
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2150829898.000000000477E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2149268107.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2148388586.000000000109E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2150829898.0000000004ADB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec25e7689-8eb9-43a0-830e-91b697d7907d.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2157909517.0000000009CA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2149268107.000000000316D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec25e7689-8eb9-43a0-830e-91b697d7907d.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2156238015.0000000007830000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeBinary or memory string: OriginalFilenamezSnw.exe4 vs TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 10.2.QXnCjDPniyIC.exe.45646a0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4b16900.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.QXnCjDPniyIC.exe.459f0c0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.QXnCjDPniyIC.exe.45646a0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.QXnCjDPniyIC.exe.459f0c0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4b16900.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: QXnCjDPniyIC.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, N43UVggPg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, N43UVggPg.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, Ow96S4wT.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, Ow96S4wT.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, Ow96S4wT.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, Ow96S4wT.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, MjzNdC.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, MjzNdC.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, iG6QSRHGbtc0WJJHIo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, bq7yqmOPqa0uGxg0v1.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, bq7yqmOPqa0uGxg0v1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, bq7yqmOPqa0uGxg0v1.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, bq7yqmOPqa0uGxg0v1.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, bq7yqmOPqa0uGxg0v1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, bq7yqmOPqa0uGxg0v1.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, bq7yqmOPqa0uGxg0v1.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, bq7yqmOPqa0uGxg0v1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, bq7yqmOPqa0uGxg0v1.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, iG6QSRHGbtc0WJJHIo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, iG6QSRHGbtc0WJJHIo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@1/1
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile created: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMutant created: \Sessions\1\BaseNamedObjects\hdjuIOqaLijtvTutoBOuWEDgFP
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2728:120:WilError_03
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile created: C:\Users\user\AppData\Local\Temp\tmp6CFF.tmpJump to behavior
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeVirustotal: Detection: 58%
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeReversingLabs: Detection: 44%
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile read: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe"
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp9279.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp9279.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeUnpacked PE file: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9e0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeUnpacked PE file: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9e0000.0.unpack
                    .NET source code contains potential unpacker
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.2dc39f0.2.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, bq7yqmOPqa0uGxg0v1.cs.Net Code: hQBC1pvd4K System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, bq7yqmOPqa0uGxg0v1.cs.Net Code: hQBC1pvd4K System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, bq7yqmOPqa0uGxg0v1.cs.Net Code: hQBC1pvd4K System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_00AA4437 push 0000007Fh; iretd 0_2_00AA4447
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_00AA4412 push 0000007Fh; iretd 0_2_00AA4422
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_00AA43ED push 0000007Fh; iretd 0_2_00AA43FD
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_009E2D50 push esi; ret 0_2_009E2D51
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_00AA43C8 push 0000007Fh; iretd 0_2_00AA43D8
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C4645A push esi; ret 0_2_02C4645B
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_02C46F83 pushfd ; ret 0_2_02C46F84
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeCode function: 0_2_099D4328 pushad ; retf 0_2_099D4331
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_0185645A push esi; ret 10_2_0185645B
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_01856F83 pushfd ; ret 10_2_01856F84
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeCode function: 10_2_09C04463 pushad ; retf 10_2_09C04469
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05D0BD02 push es; iretd 14_2_05D0BD12
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05D0C481 push cs; iretd 14_2_05D0C482
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeStatic PE information: section name: .text entropy: 7.838584752492977
                    Source: QXnCjDPniyIC.exe.0.drStatic PE information: section name: .text entropy: 7.838584752492977
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, mAaYPaXcxCGm71fkr3.csHigh entropy of concatenated method names: 'mmZ8V59DTF', 'Mt08xdwNcR', 'i2j8T7T37D', 'MUJ8AH40YN', 'bkn8OVRpOn', 'HCTTEPx9Ue', 'zksTMf5B5B', 'qeYTiNMqE5', 'JsWTpFmggO', 'LeuTI4vwxo'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, arWDyMQhu00lHqvNNv.csHigh entropy of concatenated method names: 'w0k2HotmoC', 'Mey2R4Mkic', 'i1l2XUkm6P', 'otv2c5jRyY', 'Qpo2YouqBx', 'Ydb2jdMseD', 'hbt2bBZpp7', 'uOR2JDlvm6', 'sh62BolLRl', 'x1u2S8xAdD'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, aHxXG6eepXJQdW5mY7.csHigh entropy of concatenated method names: 'Pft1bENf7', 'teka0vnO1', 'Ey3nByF98', 'c4392JcAb', 'zy9Rn8asu', 'Rxc4Wvktl', 'dS7EjxTR8IMdTOwGK7', 'qs3K937oFyfqxpSwG8', 'MsfLLyWD8', 'kmGqZp0El'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, eVxJTa0aSqwwebICOh.csHigh entropy of concatenated method names: 'UBlwr0gmIB', 'GWxwNEvfN5', 'OkAwC61S93', 'Vg4w5jKR8p', 'VlUwxCAdk5', 'DD8wTDiuMi', 'U57w8Cydkp', 'CfbLiBRNcy', 'rUVLpxhnNZ', 'XnyLIcbF1Y'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, nt7KjXteZ0EeZoqnLP.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fJMeI7L82Z', 'qk3e0GoX1f', 'Yrtez8KgSM', 'vLaNymKPQe', 'PqsNrRrdGB', 'anUNeyZL9B', 'kGyNNJN4Tn', 'lUKjYEHCVh8wPFUSlIN'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, bmdnNix6wa9od7W2kf.csHigh entropy of concatenated method names: 'Dispose', 'Sp9rI6tV1s', 'KUfecFF2L4', 'gq9TTXoZdb', 'P1Or0a6MEt', 'FUwrzVSxi3', 'ProcessDialogKey', 'CfTeyljh6b', 'MfRer8LwPC', 'uyoeeVVxJT'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, iG6QSRHGbtc0WJJHIo.csHigh entropy of concatenated method names: 'Bwsxl0HTiF', 'wMyxkH7RsX', 'ueNxPCAnFA', 'QaIxhDMinX', 'M4PxEOocK4', 'FlbxMtFWUy', 'rNZxi9rlnO', 'p0NxpulVDd', 'wjGxIBfApK', 'dxgx0VsqEg'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, Gwlcl7sx3SAsgCQCqK.csHigh entropy of concatenated method names: 'MdyA61JMDP', 'jhtAGaqMhP', 'mN1A1Q3QaG', 'vP7AaJYWhl', 'VsHAf0u0cX', 'J2YAnantwl', 'tGxA9cN7Sy', 'yhTAHeDMr2', 'AMgARwXpXt', 'TR6A4Abcj7'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, iljh6bIsfR8LwPCKyo.csHigh entropy of concatenated method names: 'SYFLXw6OjU', 'WNmLcOeKC0', 'wYNL3QPQIo', 'Ke3LYu3qqn', 'UrYLlbUTKM', 'gvDLjBgMtf', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, zOa6MEpt4UwVSxi3nf.csHigh entropy of concatenated method names: 'ffAL55BpX9', 'sy8LxMAGTY', 'HivLtqdhG2', 'UVKLTGRixu', 'KqiL8FtfDS', 'jhVLAsLqI4', 'UGXLOevOQ9', 'B3VLv7n9LD', 'ixTL71jrAd', 'rdOLD6QJN9'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, KmF9JJMuwTR3VjZxil.csHigh entropy of concatenated method names: 'PWaWpKf4YP', 'zrqW0rZpm8', 'B3yLyF75eY', 'EIRLro2pil', 'eo8WSsy7js', 'PFiWul7YOK', 'AQgWQuiHd0', 'u2sWlsyesi', 'JPbWkbhw0g', 'B8xWPAy3Sw'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, hfMlWPRH8k61kD3xy2.csHigh entropy of concatenated method names: 'mFJtaQWsjX', 'FOJtnt7xPx', 'jmjtHpBZeX', 'sxXtRKwQU9', 'xCJtZ6GYIW', 'uTCtopZ1Sa', 'NPKtWjDnD8', 'R42tL4iP5A', 'AuStwZUfdP', 'gygtq5jKCA'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, hpcutRrNfp7Lmbki4ev.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oC5qlLFwWC', 'E2FqkG4Wvl', 'YrvqPRSXfQ', 'gw5qh9sfVP', 'VhaqEC7pgq', 'Py7qMiUDdb', 'MexqiKsF1F'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, SB9rapb9k1N49nNr69.csHigh entropy of concatenated method names: 'slDA59lFpu', 'EE2AtVDrXA', 'yrTA87GSj8', 'gmV80k2tYq', 'bmU8zX43JV', 'NpoAy0utrl', 'FQcAr1agEC', 'GjoAerjAvt', 'jLWANRD7Qy', 'VvjACag4Pf'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, bEbwofP0IMIDXbe8rj.csHigh entropy of concatenated method names: 'ToString', 'LK6oSktWrB', 'IQuocCkanu', 'BMEo3ITvPc', 'D2woYYNhYP', 'hFJojFeW3s', 'CYxoFeAbWC', 'a6oobAI8Px', 'EPXoJqcj9k', 'THhosdnK7a'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, Jx9rfLCbKvDOjC8VWZ.csHigh entropy of concatenated method names: 'pBTrAG6QSR', 'ybtrOc0WJJ', 'SH8r7k61kD', 'HxyrD2qbBi', 'jhIrZTJ7Aa', 'JParocxCGm', 'KbQv5MNKPQMJk4mlyQ', 'i90HHw9DP3WD6XPmJw', 'K32rrIEjpA', 'cMlrNnBMM6'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, bq7yqmOPqa0uGxg0v1.csHigh entropy of concatenated method names: 'sGRNVVGqO2', 'CBkN59QXYR', 'a6eNxlc6Rl', 'LMwNt7Pdsp', 'uuVNTLr0Kw', 'FI8N8fIAVP', 'ceQNA6KTjV', 'j4dNOAytqF', 'ptMNvgy3lb', 'gUrN7v1TXL'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, fNYd4cry11ZEHXeorVK.csHigh entropy of concatenated method names: 'AJXw6ladjy', 'svmwGAJgsi', 'wf7w1LIX8c', 'Hffwa8KXXf', 'rtFwfT2tep', 'W2nwnG7hMY', 'AGVw9P1WwW', 'IQMwHO7Rsm', 'iRwwRhVRpl', 'VyVw4AMD5S'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, U4mqlmrrkpW67qyEknw.csHigh entropy of concatenated method names: 'ToString', 'jcPqNOIGph', 'CU6qCsOMcZ', 'PnBqVdMMxR', 'DlJq5mQINJ', 'PNQqxxlPWk', 'C4qqtcjoQr', 'aHWqT8aYyL', 'LtMTlq45dW5A3M1Zhlk', 'x6EOaT4nrhDPXQu9a2W'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4985540.9.raw.unpack, b8IvIPlQ4uyqcUMaP1.csHigh entropy of concatenated method names: 'FYPZBDn8g0', 'XNRZuQaoMX', 'JbZZlv6w9i', 'OSDZkFWoC4', 'BQsZcMJeBl', 'i4dZ3lX8LW', 'Qx1ZYbOdQI', 'gsGZjMtn3R', 'IwBZFWLhxV', 'fdHZbT9JfB'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, mAaYPaXcxCGm71fkr3.csHigh entropy of concatenated method names: 'mmZ8V59DTF', 'Mt08xdwNcR', 'i2j8T7T37D', 'MUJ8AH40YN', 'bkn8OVRpOn', 'HCTTEPx9Ue', 'zksTMf5B5B', 'qeYTiNMqE5', 'JsWTpFmggO', 'LeuTI4vwxo'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, arWDyMQhu00lHqvNNv.csHigh entropy of concatenated method names: 'w0k2HotmoC', 'Mey2R4Mkic', 'i1l2XUkm6P', 'otv2c5jRyY', 'Qpo2YouqBx', 'Ydb2jdMseD', 'hbt2bBZpp7', 'uOR2JDlvm6', 'sh62BolLRl', 'x1u2S8xAdD'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, aHxXG6eepXJQdW5mY7.csHigh entropy of concatenated method names: 'Pft1bENf7', 'teka0vnO1', 'Ey3nByF98', 'c4392JcAb', 'zy9Rn8asu', 'Rxc4Wvktl', 'dS7EjxTR8IMdTOwGK7', 'qs3K937oFyfqxpSwG8', 'MsfLLyWD8', 'kmGqZp0El'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, eVxJTa0aSqwwebICOh.csHigh entropy of concatenated method names: 'UBlwr0gmIB', 'GWxwNEvfN5', 'OkAwC61S93', 'Vg4w5jKR8p', 'VlUwxCAdk5', 'DD8wTDiuMi', 'U57w8Cydkp', 'CfbLiBRNcy', 'rUVLpxhnNZ', 'XnyLIcbF1Y'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, nt7KjXteZ0EeZoqnLP.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fJMeI7L82Z', 'qk3e0GoX1f', 'Yrtez8KgSM', 'vLaNymKPQe', 'PqsNrRrdGB', 'anUNeyZL9B', 'kGyNNJN4Tn', 'lUKjYEHCVh8wPFUSlIN'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, bmdnNix6wa9od7W2kf.csHigh entropy of concatenated method names: 'Dispose', 'Sp9rI6tV1s', 'KUfecFF2L4', 'gq9TTXoZdb', 'P1Or0a6MEt', 'FUwrzVSxi3', 'ProcessDialogKey', 'CfTeyljh6b', 'MfRer8LwPC', 'uyoeeVVxJT'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, iG6QSRHGbtc0WJJHIo.csHigh entropy of concatenated method names: 'Bwsxl0HTiF', 'wMyxkH7RsX', 'ueNxPCAnFA', 'QaIxhDMinX', 'M4PxEOocK4', 'FlbxMtFWUy', 'rNZxi9rlnO', 'p0NxpulVDd', 'wjGxIBfApK', 'dxgx0VsqEg'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, Gwlcl7sx3SAsgCQCqK.csHigh entropy of concatenated method names: 'MdyA61JMDP', 'jhtAGaqMhP', 'mN1A1Q3QaG', 'vP7AaJYWhl', 'VsHAf0u0cX', 'J2YAnantwl', 'tGxA9cN7Sy', 'yhTAHeDMr2', 'AMgARwXpXt', 'TR6A4Abcj7'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, iljh6bIsfR8LwPCKyo.csHigh entropy of concatenated method names: 'SYFLXw6OjU', 'WNmLcOeKC0', 'wYNL3QPQIo', 'Ke3LYu3qqn', 'UrYLlbUTKM', 'gvDLjBgMtf', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, zOa6MEpt4UwVSxi3nf.csHigh entropy of concatenated method names: 'ffAL55BpX9', 'sy8LxMAGTY', 'HivLtqdhG2', 'UVKLTGRixu', 'KqiL8FtfDS', 'jhVLAsLqI4', 'UGXLOevOQ9', 'B3VLv7n9LD', 'ixTL71jrAd', 'rdOLD6QJN9'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, KmF9JJMuwTR3VjZxil.csHigh entropy of concatenated method names: 'PWaWpKf4YP', 'zrqW0rZpm8', 'B3yLyF75eY', 'EIRLro2pil', 'eo8WSsy7js', 'PFiWul7YOK', 'AQgWQuiHd0', 'u2sWlsyesi', 'JPbWkbhw0g', 'B8xWPAy3Sw'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, hfMlWPRH8k61kD3xy2.csHigh entropy of concatenated method names: 'mFJtaQWsjX', 'FOJtnt7xPx', 'jmjtHpBZeX', 'sxXtRKwQU9', 'xCJtZ6GYIW', 'uTCtopZ1Sa', 'NPKtWjDnD8', 'R42tL4iP5A', 'AuStwZUfdP', 'gygtq5jKCA'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, hpcutRrNfp7Lmbki4ev.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oC5qlLFwWC', 'E2FqkG4Wvl', 'YrvqPRSXfQ', 'gw5qh9sfVP', 'VhaqEC7pgq', 'Py7qMiUDdb', 'MexqiKsF1F'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, SB9rapb9k1N49nNr69.csHigh entropy of concatenated method names: 'slDA59lFpu', 'EE2AtVDrXA', 'yrTA87GSj8', 'gmV80k2tYq', 'bmU8zX43JV', 'NpoAy0utrl', 'FQcAr1agEC', 'GjoAerjAvt', 'jLWANRD7Qy', 'VvjACag4Pf'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, bEbwofP0IMIDXbe8rj.csHigh entropy of concatenated method names: 'ToString', 'LK6oSktWrB', 'IQuocCkanu', 'BMEo3ITvPc', 'D2woYYNhYP', 'hFJojFeW3s', 'CYxoFeAbWC', 'a6oobAI8Px', 'EPXoJqcj9k', 'THhosdnK7a'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, Jx9rfLCbKvDOjC8VWZ.csHigh entropy of concatenated method names: 'pBTrAG6QSR', 'ybtrOc0WJJ', 'SH8r7k61kD', 'HxyrD2qbBi', 'jhIrZTJ7Aa', 'JParocxCGm', 'KbQv5MNKPQMJk4mlyQ', 'i90HHw9DP3WD6XPmJw', 'K32rrIEjpA', 'cMlrNnBMM6'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, bq7yqmOPqa0uGxg0v1.csHigh entropy of concatenated method names: 'sGRNVVGqO2', 'CBkN59QXYR', 'a6eNxlc6Rl', 'LMwNt7Pdsp', 'uuVNTLr0Kw', 'FI8N8fIAVP', 'ceQNA6KTjV', 'j4dNOAytqF', 'ptMNvgy3lb', 'gUrN7v1TXL'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, fNYd4cry11ZEHXeorVK.csHigh entropy of concatenated method names: 'AJXw6ladjy', 'svmwGAJgsi', 'wf7w1LIX8c', 'Hffwa8KXXf', 'rtFwfT2tep', 'W2nwnG7hMY', 'AGVw9P1WwW', 'IQMwHO7Rsm', 'iRwwRhVRpl', 'VyVw4AMD5S'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, U4mqlmrrkpW67qyEknw.csHigh entropy of concatenated method names: 'ToString', 'jcPqNOIGph', 'CU6qCsOMcZ', 'PnBqVdMMxR', 'DlJq5mQINJ', 'PNQqxxlPWk', 'C4qqtcjoQr', 'aHWqT8aYyL', 'LtMTlq45dW5A3M1Zhlk', 'x6EOaT4nrhDPXQu9a2W'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.9ca0000.13.raw.unpack, b8IvIPlQ4uyqcUMaP1.csHigh entropy of concatenated method names: 'FYPZBDn8g0', 'XNRZuQaoMX', 'JbZZlv6w9i', 'OSDZkFWoC4', 'BQsZcMJeBl', 'i4dZ3lX8LW', 'Qx1ZYbOdQI', 'gsGZjMtn3R', 'IwBZFWLhxV', 'fdHZbT9JfB'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, mAaYPaXcxCGm71fkr3.csHigh entropy of concatenated method names: 'mmZ8V59DTF', 'Mt08xdwNcR', 'i2j8T7T37D', 'MUJ8AH40YN', 'bkn8OVRpOn', 'HCTTEPx9Ue', 'zksTMf5B5B', 'qeYTiNMqE5', 'JsWTpFmggO', 'LeuTI4vwxo'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, arWDyMQhu00lHqvNNv.csHigh entropy of concatenated method names: 'w0k2HotmoC', 'Mey2R4Mkic', 'i1l2XUkm6P', 'otv2c5jRyY', 'Qpo2YouqBx', 'Ydb2jdMseD', 'hbt2bBZpp7', 'uOR2JDlvm6', 'sh62BolLRl', 'x1u2S8xAdD'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, aHxXG6eepXJQdW5mY7.csHigh entropy of concatenated method names: 'Pft1bENf7', 'teka0vnO1', 'Ey3nByF98', 'c4392JcAb', 'zy9Rn8asu', 'Rxc4Wvktl', 'dS7EjxTR8IMdTOwGK7', 'qs3K937oFyfqxpSwG8', 'MsfLLyWD8', 'kmGqZp0El'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, eVxJTa0aSqwwebICOh.csHigh entropy of concatenated method names: 'UBlwr0gmIB', 'GWxwNEvfN5', 'OkAwC61S93', 'Vg4w5jKR8p', 'VlUwxCAdk5', 'DD8wTDiuMi', 'U57w8Cydkp', 'CfbLiBRNcy', 'rUVLpxhnNZ', 'XnyLIcbF1Y'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, nt7KjXteZ0EeZoqnLP.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fJMeI7L82Z', 'qk3e0GoX1f', 'Yrtez8KgSM', 'vLaNymKPQe', 'PqsNrRrdGB', 'anUNeyZL9B', 'kGyNNJN4Tn', 'lUKjYEHCVh8wPFUSlIN'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, bmdnNix6wa9od7W2kf.csHigh entropy of concatenated method names: 'Dispose', 'Sp9rI6tV1s', 'KUfecFF2L4', 'gq9TTXoZdb', 'P1Or0a6MEt', 'FUwrzVSxi3', 'ProcessDialogKey', 'CfTeyljh6b', 'MfRer8LwPC', 'uyoeeVVxJT'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, iG6QSRHGbtc0WJJHIo.csHigh entropy of concatenated method names: 'Bwsxl0HTiF', 'wMyxkH7RsX', 'ueNxPCAnFA', 'QaIxhDMinX', 'M4PxEOocK4', 'FlbxMtFWUy', 'rNZxi9rlnO', 'p0NxpulVDd', 'wjGxIBfApK', 'dxgx0VsqEg'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, Gwlcl7sx3SAsgCQCqK.csHigh entropy of concatenated method names: 'MdyA61JMDP', 'jhtAGaqMhP', 'mN1A1Q3QaG', 'vP7AaJYWhl', 'VsHAf0u0cX', 'J2YAnantwl', 'tGxA9cN7Sy', 'yhTAHeDMr2', 'AMgARwXpXt', 'TR6A4Abcj7'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, iljh6bIsfR8LwPCKyo.csHigh entropy of concatenated method names: 'SYFLXw6OjU', 'WNmLcOeKC0', 'wYNL3QPQIo', 'Ke3LYu3qqn', 'UrYLlbUTKM', 'gvDLjBgMtf', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, zOa6MEpt4UwVSxi3nf.csHigh entropy of concatenated method names: 'ffAL55BpX9', 'sy8LxMAGTY', 'HivLtqdhG2', 'UVKLTGRixu', 'KqiL8FtfDS', 'jhVLAsLqI4', 'UGXLOevOQ9', 'B3VLv7n9LD', 'ixTL71jrAd', 'rdOLD6QJN9'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, KmF9JJMuwTR3VjZxil.csHigh entropy of concatenated method names: 'PWaWpKf4YP', 'zrqW0rZpm8', 'B3yLyF75eY', 'EIRLro2pil', 'eo8WSsy7js', 'PFiWul7YOK', 'AQgWQuiHd0', 'u2sWlsyesi', 'JPbWkbhw0g', 'B8xWPAy3Sw'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, hfMlWPRH8k61kD3xy2.csHigh entropy of concatenated method names: 'mFJtaQWsjX', 'FOJtnt7xPx', 'jmjtHpBZeX', 'sxXtRKwQU9', 'xCJtZ6GYIW', 'uTCtopZ1Sa', 'NPKtWjDnD8', 'R42tL4iP5A', 'AuStwZUfdP', 'gygtq5jKCA'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, hpcutRrNfp7Lmbki4ev.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oC5qlLFwWC', 'E2FqkG4Wvl', 'YrvqPRSXfQ', 'gw5qh9sfVP', 'VhaqEC7pgq', 'Py7qMiUDdb', 'MexqiKsF1F'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, SB9rapb9k1N49nNr69.csHigh entropy of concatenated method names: 'slDA59lFpu', 'EE2AtVDrXA', 'yrTA87GSj8', 'gmV80k2tYq', 'bmU8zX43JV', 'NpoAy0utrl', 'FQcAr1agEC', 'GjoAerjAvt', 'jLWANRD7Qy', 'VvjACag4Pf'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, bEbwofP0IMIDXbe8rj.csHigh entropy of concatenated method names: 'ToString', 'LK6oSktWrB', 'IQuocCkanu', 'BMEo3ITvPc', 'D2woYYNhYP', 'hFJojFeW3s', 'CYxoFeAbWC', 'a6oobAI8Px', 'EPXoJqcj9k', 'THhosdnK7a'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, Jx9rfLCbKvDOjC8VWZ.csHigh entropy of concatenated method names: 'pBTrAG6QSR', 'ybtrOc0WJJ', 'SH8r7k61kD', 'HxyrD2qbBi', 'jhIrZTJ7Aa', 'JParocxCGm', 'KbQv5MNKPQMJk4mlyQ', 'i90HHw9DP3WD6XPmJw', 'K32rrIEjpA', 'cMlrNnBMM6'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, bq7yqmOPqa0uGxg0v1.csHigh entropy of concatenated method names: 'sGRNVVGqO2', 'CBkN59QXYR', 'a6eNxlc6Rl', 'LMwNt7Pdsp', 'uuVNTLr0Kw', 'FI8N8fIAVP', 'ceQNA6KTjV', 'j4dNOAytqF', 'ptMNvgy3lb', 'gUrN7v1TXL'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, fNYd4cry11ZEHXeorVK.csHigh entropy of concatenated method names: 'AJXw6ladjy', 'svmwGAJgsi', 'wf7w1LIX8c', 'Hffwa8KXXf', 'rtFwfT2tep', 'W2nwnG7hMY', 'AGVw9P1WwW', 'IQMwHO7Rsm', 'iRwwRhVRpl', 'VyVw4AMD5S'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, U4mqlmrrkpW67qyEknw.csHigh entropy of concatenated method names: 'ToString', 'jcPqNOIGph', 'CU6qCsOMcZ', 'PnBqVdMMxR', 'DlJq5mQINJ', 'PNQqxxlPWk', 'C4qqtcjoQr', 'aHWqT8aYyL', 'LtMTlq45dW5A3M1Zhlk', 'x6EOaT4nrhDPXQu9a2W'
                    Source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4a01760.6.raw.unpack, b8IvIPlQ4uyqcUMaP1.csHigh entropy of concatenated method names: 'FYPZBDn8g0', 'XNRZuQaoMX', 'JbZZlv6w9i', 'OSDZkFWoC4', 'BQsZcMJeBl', 'i4dZ3lX8LW', 'Qx1ZYbOdQI', 'gsGZjMtn3R', 'IwBZFWLhxV', 'fdHZbT9JfB'
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 05-27-2024_xlsx.scr.exe
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 05-27-2024_xlsx.scr.exe
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 05-27-2024_xlsx.scr.exe
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 05-27-2024_xlsx.scr.exe
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 05-27-2024_xlsx.scr.exeJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 05-27-2024_xlsx.scr.exeJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 05-27-2024_xlsx.scr.exeJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile created: \tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 05-27-2024_xlsx.scr.exeJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeFile created: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe PID: 5756, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: QXnCjDPniyIC.exe PID: 4068, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: 2BF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: 2DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: 4DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: 5400000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: 6400000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: 6530000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: 7530000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: 9F40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: AF40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: B3D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: C3D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory allocated: 1850000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory allocated: 3500000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory allocated: 3230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory allocated: 5A60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory allocated: 6A60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory allocated: 6B90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory allocated: 7B90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory allocated: 9F60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory allocated: 5A60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5938Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7417Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2666Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3204Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4512
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1165
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe TID: 5668Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5476Thread sleep count: 5938 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5476Thread sleep count: 118 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4544Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3744Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4092Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe TID: 2744Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99763Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99648Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99544Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99315Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99199Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99092Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98655Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98327Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97997Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97669Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97452Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96905Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99890
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99552
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99422
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99203
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99092
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98984
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98764
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98545
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98437
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98215
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98109
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97890
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97671
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97562
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97452
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97343
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97234
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97125
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96980
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2148388586.00000000010D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                    Source: RegSvcs.exe, 00000009.00000002.2235440286.0000000006540000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005DF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2157909517.0000000009CA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: n6dmDO4yVmCIQffMunq
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe"
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe"
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10E6008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 955008Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp9279.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeQueries volume information: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeQueries volume information: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 10.2.QXnCjDPniyIC.exe.45646a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4b16900.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.QXnCjDPniyIC.exe.459f0c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.QXnCjDPniyIC.exe.45646a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.QXnCjDPniyIC.exe.459f0c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4b16900.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2228628971.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3307561590.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3307561590.0000000002A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2230819074.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2254353479.0000000004564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2230819074.0000000003209000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2230819074.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2150829898.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe PID: 5756, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 368, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: QXnCjDPniyIC.exe PID: 4068, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5280, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 10.2.QXnCjDPniyIC.exe.45646a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4b16900.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.QXnCjDPniyIC.exe.459f0c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.QXnCjDPniyIC.exe.45646a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.QXnCjDPniyIC.exe.459f0c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4b16900.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2228628971.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2254353479.0000000004564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2230819074.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2150829898.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe PID: 5756, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 368, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: QXnCjDPniyIC.exe PID: 4068, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5280, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 10.2.QXnCjDPniyIC.exe.45646a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4b16900.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.QXnCjDPniyIC.exe.459f0c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.QXnCjDPniyIC.exe.45646a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.QXnCjDPniyIC.exe.459f0c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4b16900.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.4adbee0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2228628971.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3307561590.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3307561590.0000000002A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2230819074.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2254353479.0000000004564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2230819074.0000000003209000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2230819074.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2150829898.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe PID: 5756, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 368, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: QXnCjDPniyIC.exe PID: 4068, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5280, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook32
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448085 Sample: TEKL#U0130F TALEP VE F#U013... Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 42 cp8nl.hyperhost.ua 2->42 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 14 other signatures 2->52 8 TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe 7 2->8         started        12 QXnCjDPniyIC.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\QXnCjDPniyIC.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp6CFF.tmp, XML 8->40 dropped 54 Writes to foreign memory regions 8->54 56 Allocates memory in foreign processes 8->56 58 Adds a directory exclusion to Windows Defender 8->58 60 Injects a PE file into a foreign processes 8->60 14 RegSvcs.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        62 Antivirus detection for dropped file 12->62 64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 24 RegSvcs.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 44 cp8nl.hyperhost.ua 185.174.175.187, 49706, 49708, 587 ITLDC-NLUA Ukraine 14->44 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->68 70 Loading BitLocker PowerShell Module 18->70 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->72 74 Tries to steal Mail credentials (via file / registry access) 24->74 76 Tries to harvest and steal ftp login credentials 24->76 78 Tries to harvest and steal browser information (history, passwords, etc) 24->78 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe58%VirustotalBrowse
                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe45%ReversingLabsByteCode-MSIL.Trojan.Barys
                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe100%AviraHEUR/AGEN.1350996
                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe100%AviraHEUR/AGEN.1350996
                    C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe45%ReversingLabsByteCode-MSIL.Trojan.Barys
                    C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe58%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    cp8nl.hyperhost.ua2%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    http://cp8nl.hyperhost.ua0%Avira URL Cloudsafe
                    http://cp8nl.hyperhost.ua2%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    cp8nl.hyperhost.ua
                    		185.174.175.187
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#RegSvcs.exe, 00000009.00000002.2230819074.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2235440286.0000000006540000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005DF0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://sectigo.com/CPS0RegSvcs.exe, 00000009.00000002.2230819074.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2235440286.0000000006540000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005DF0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2150829898.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2228628971.0000000000402000.00000040.00000400.00020000.00000000.sdmp, QXnCjDPniyIC.exe, 0000000A.00000002.2254353479.0000000004564000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://ocsp.sectigo.com0RegSvcs.exe, 00000009.00000002.2230819074.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2235440286.0000000006540000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3314257749.0000000005DF0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2149268107.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, 00000000.00000002.2149268107.000000000316D000.00000004.00000800.00020000.00000000.sdmp, QXnCjDPniyIC.exe, 0000000A.00000002.2248633440.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/0TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe, QXnCjDPniyIC.exe.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://cp8nl.hyperhost.uaRegSvcs.exe, 00000009.00000002.2230819074.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.174.175.187
                    		cp8nl.hyperhost.uaUkraine
                    		21100ITLDC-NLUAtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1448085
                    Start date and time:2024-05-27 18:33:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 43s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:18
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                    renamed because original name is a hash value
                    Original Sample Name:TEKLF TALEP VE FYAT TEKLF 05-27-2024_xlsx.scr.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@19/15@1/1
                    EGA Information:
                    • Successful, ratio: 75%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 164
                    • Number of non-executed functions: 16
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target RegSvcs.exe, PID 368 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    12:33:56API Interceptor1x Sleep call for process: TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe modified
                    12:34:02API Interceptor30x Sleep call for process: powershell.exe modified
                    12:34:04API Interceptor57x Sleep call for process: RegSvcs.exe modified
                    12:34:05API Interceptor1x Sleep call for process: QXnCjDPniyIC.exe modified
                    18:34:03Task SchedulerRun new task: QXnCjDPniyIC path: C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.174.175.187T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exeGet hashmaliciousAgentTeslaBrowse
                      TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130sxlx..exeGet hashmaliciousAgentTeslaBrowse
                        TALEP VE F#U0130YAT TEKL#U0130F#U0130 FDP..exeGet hashmaliciousAgentTeslaBrowse
                          Unilever Unilever Sanayi ve Ticaret Turk AS Purchase Order PO11824729sxlx..exeGet hashmaliciousAgentTeslaBrowse
                            justificantes.scr.exeGet hashmaliciousAgentTeslaBrowse
                              TGPF4-MG-002_Material Requirement for Sour Service_A.scr.exeGet hashmaliciousAgentTeslaBrowse
                                130 FDP..exeGet hashmaliciousAgentTeslaBrowse
                                  FACTURAS.scr.exeGet hashmaliciousAgentTeslaBrowse
                                    F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                      e-dekont_html.exeGet hashmaliciousAgentTeslaBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        cp8nl.hyperhost.uaT#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130sxlx..exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        TALEP VE F#U0130YAT TEKL#U0130F#U0130 FDP..exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        Unilever Unilever Sanayi ve Ticaret Turk AS Purchase Order PO11824729sxlx..exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        justificantes.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        TGPF4-MG-002_Material Requirement for Sour Service_A.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        130 FDP..exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        FACTURAS.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        e-dekont_html.exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ITLDC-NLUApkWlNPRq4x.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 195.123.218.120
                                        T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130sxlx..exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        1.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 195.123.218.120
                                        TALEP VE F#U0130YAT TEKL#U0130F#U0130 FDP..exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        Unilever Unilever Sanayi ve Ticaret Turk AS Purchase Order PO11824729sxlx..exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        https://mt.tryd.pro/?utm_medium=5d539b8fe867f4649d0e7e9d483a8c0123849486&utm_campaign=Remnantnewtest&1=1Get hashmaliciousUnknownBrowse
                                        • 91.223.123.205
                                        CHNSoT10HG.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        • 185.174.174.220
                                        justificantes.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • 185.174.175.187
                                        S9iJqTQS7q.exeGet hashmaliciousRedLineBrowse
                                        • 178.159.39.40

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QXnCjDPniyIC.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2232
                                        Entropy (8bit):5.3797706053345555
                                        Encrypted:false
                                        SSDEEP:48:fWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//ZSUyus:fLHxv2IfLZ2KRH6OugEs
                                        MD5:D4C226772B41F4F9E5EAB939595F5D6E
                                        SHA1:5259C1E42AB1D3B729965196C999030069C24A3C
                                        SHA-256:E23C0445EE1BB5FDFF797A8642C5ABF732BE11C4F337068DC31C603F0C1A5FF8
                                        SHA-512:03C154437849C572F058063AF964FE18AC06FD9BBF601D5FDF0D0562C05A38CEFF75351BC5DEA46B1ED7169EBC134044214DD4BD4BBBB2D60CA28CA337D93DA2
                                        Malicious:false
                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14rlrsxi.hcf.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1et2pkng.o1e.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bg5qe0yc.gnx.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bukwfdqq.3hn.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eneqefyk.pst.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsmnhdui.zcc.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npqr5y53.ggi.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rycugijx.alg.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1599
                                        Entropy (8bit):5.1028310706231865
                                        Encrypted:false
                                        SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLfaxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTDuv
                                        MD5:F3F654E2980B8FC2347D18EA8FCA6158
                                        SHA1:EC194ADED9373D91700DCDB8E79B1D5EBE8D4438
                                        SHA-256:2DFEAEB1685399730A7E4083D0FE272A5074236EE17E1B9679553A1021B10F3E
                                        SHA-512:B9509A9D7018EAD0EE85A651FA89B92D5F08CD7A031EF430ED0ADDFD90767B2188884A77188CDF91898DC2978D05988AF7666DE17B2FA65B8087650E2FE4A166
                                        Malicious:true
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                        C:\Users\user\AppData\Local\Temp\tmp9279.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1599
                                        Entropy (8bit):5.1028310706231865
                                        Encrypted:false
                                        SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLfaxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTDuv
                                        MD5:F3F654E2980B8FC2347D18EA8FCA6158
                                        SHA1:EC194ADED9373D91700DCDB8E79B1D5EBE8D4438
                                        SHA-256:2DFEAEB1685399730A7E4083D0FE272A5074236EE17E1B9679553A1021B10F3E
                                        SHA-512:B9509A9D7018EAD0EE85A651FA89B92D5F08CD7A031EF430ED0ADDFD90767B2188884A77188CDF91898DC2978D05988AF7666DE17B2FA65B8087650E2FE4A166
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                        C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):906248
                                        Entropy (8bit):7.83627798211682
                                        Encrypted:false
                                        SSDEEP:24576:ubyx8MYxPb1kneBGXw8JYIEJXq2Pn8/+OV5:eyx8MYxPZ0gsYZJXjE2OV5
                                        MD5:6DF3F8880A8B99EA7417F9F06828299D
                                        SHA1:36226A576EDE9A2425E8F46C30DE52233BD1CF54
                                        SHA-256:62601D311E6061480F42B44495215C0137DD6436E74F5744008687898B28350B
                                        SHA-512:0EADD15D9C73C1140F3C3BA6EA51820CFFDED4815EFB7F823D766DBEAE45825092C30B82EBE8968D82FF30A518C6DA9059A6F48AC0359C628D5A345173315CFA
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 45%
                                        • Antivirus: Virustotal, Detection: 58%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I]Tf..............0..t...(........... ........@.. ....................................@.....................................K........$...............6........................................................... ............... ..H............text...4s... ...t.................. ..`.rsrc....$.......&...v..............@..@.reloc..............................@..B........................H.......xF..hL......y...@A..8...........................................N[..S3......b.....P.j.\gO.....NyD....H?...?k...Sut...%..ZrY.T..xV..n..B...f.....N....;..f.........../.W..1...Q/.o......*g.......t...:R..._..9y~.....p/.k.j.y#~T..*. ..c*_..F.T.jO.e.eUd...=.s.......Ef.X^Mw..;X%2@.k..?UC:."..W......Y,=......Okp..'..Z....*.Z.....y2.....(q.:.) B.......|A.[KW.g..\F'\./...Ki./,%.....Z.0.J/..vm7...Q3...8;..b....P.n.9.....0>.`._-..-0=..7...u...#...5G.%....OE

                                        C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:false
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.83627798211682
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                                        File size:906'248 bytes
                                        MD5:6df3f8880a8b99ea7417f9f06828299d
                                        SHA1:36226a576ede9a2425e8f46c30de52233bd1cf54
                                        SHA256:62601d311e6061480f42b44495215c0137dd6436e74f5744008687898b28350b
                                        SHA512:0eadd15d9c73c1140f3c3ba6ea51820cffded4815efb7f823d766dbeae45825092c30b82ebe8968d82ff30a518c6da9059a6f48ac0359c628d5a345173315cfa
                                        SSDEEP:24576:ubyx8MYxPb1kneBGXw8JYIEJXq2Pn8/+OV5:eyx8MYxPZ0gsYZJXjE2OV5
                                        TLSH:DA15CF9C36107ADFC81BC87289A82CA4EA6074B7570BD207906716ECDE4DAA7DF141F7
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I]Tf..............0..t...(........... ........@.. ....................................@................................

                                        File Icon

                                        Icon Hash:b29f0f26342a1507

                                        Static PE Info

                                        General

                                        Entrypoint:0x4d932e
                                        Entrypoint Section:.text
                                        Digitally signed:true
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x66545D49 [Mon May 27 10:15:37 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Authenticode Signature

                                        Signature Valid:false
                                        Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                        Signature Validation Error:The digital signature of the object did not verify
                                        Error Number:-2146869232
                                        Not Before, Not After
                                        • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                        Subject Chain
                                        • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                        Version:3
                                        Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                        Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                        Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                        Serial:7C1118CBBADC95DA3752C46E47A27438

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xd92e00x4b.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xda0000x2408.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xd9e000x3608
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xd73340xd7400f6ba08dddd54df3533bbb4efe24d8413False0.8778673054587689data7.838584752492977IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0xda0000x24080x260080fb4ce87c36d77d3f8d25a0470397ebFalse0.8484786184210527data7.406396198818435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xde0000xc0x2002a9eb4b7f5c4a5109f005ae56cd34857False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xda1300x1de6PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9775280898876404
                                        RT_GROUP_ICON0xdbf180x14data1.05
                                        RT_VERSION0xdbf2c0x2f0SysEx File - IDP0.41888297872340424
                                        RT_MANIFEST0xdc21c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 27, 2024 18:34:05.052891016 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:05.059242010 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:05.059478998 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:05.813605070 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:05.814493895 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:05.830549002 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:05.999459982 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:05.999735117 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:06.004690886 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.177043915 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.184952974 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:06.189882994 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.367239952 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.367274046 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.367294073 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.367311954 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.367326975 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.367554903 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:06.456353903 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.456588030 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:06.475675106 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:06.480963945 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.662662029 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.679683924 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:06.684973001 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.858268023 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:06.859230042 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:06.866280079 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.034368992 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.035619974 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:07.041337967 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.238039017 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.238502026 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:07.244179964 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.417236090 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.418608904 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:07.423995018 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.608081102 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.608335018 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:07.615617990 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.784252882 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.785232067 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:07.785283089 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:07.785293102 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:07.785425901 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:07.790318966 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.790375948 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.790406942 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:07.790441036 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:08.066056967 CEST58749706185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:08.120578051 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:14.248986959 CEST49706587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:14.389421940 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:14.394680977 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:14.394782066 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:15.170250893 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:15.170938969 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:15.175916910 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:15.352843046 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:15.353038073 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:15.360018969 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:15.535685062 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:15.588952065 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:15.591778994 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:15.596648932 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:15.780339956 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:15.780395985 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:15.780411959 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:15.780467987 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:15.780554056 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:15.780616045 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:15.874326944 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:15.875665903 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:15.880526066 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:16.056029081 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:16.071913004 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:16.076805115 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:16.254348993 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:16.254749060 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:16.262393951 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:16.439412117 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:16.440068960 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:16.447474003 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:16.635313034 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:16.635662079 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:16.641807079 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:16.816777945 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:16.817070961 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:16.821937084 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:17.006027937 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:17.006259918 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:17.011183977 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:17.186214924 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:17.187211037 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:17.187323093 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:17.187355042 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:17.187381983 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:34:17.192084074 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:17.192109108 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:17.192209005 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:17.192262888 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:17.474807024 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:34:17.526437044 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:35:54.875674963 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:35:54.880882978 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:35:55.057368040 CEST58749708185.174.175.187192.168.2.6
                                        May 27, 2024 18:35:55.120304108 CEST49708587192.168.2.6185.174.175.187
                                        May 27, 2024 18:35:55.209464073 CEST49708587192.168.2.6185.174.175.187

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 27, 2024 18:34:05.021511078 CEST5737053192.168.2.61.1.1.1
                                        May 27, 2024 18:34:05.032507896 CEST53573701.1.1.1192.168.2.6

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        May 27, 2024 18:34:05.021511078 CEST192.168.2.61.1.1.10xacb5Standard query (0)cp8nl.hyperhost.uaA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        May 27, 2024 18:34:05.032507896 CEST1.1.1.1192.168.2.60xacb5No error (0)cp8nl.hyperhost.ua185.174.175.187A (IP address)IN (0x0001)false

                                        SMTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        May 27, 2024 18:34:05.813605070 CEST58749706185.174.175.187192.168.2.6220-cp8nl.hyperhost.ua ESMTP Exim 4.97.1 #2 Mon, 27 May 2024 19:34:05 +0300
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        May 27, 2024 18:34:05.814493895 CEST49706587192.168.2.6185.174.175.187EHLO 364339
                                        May 27, 2024 18:34:05.999459982 CEST58749706185.174.175.187192.168.2.6250-cp8nl.hyperhost.ua Hello 364339 [8.46.123.175]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPECONNECT
                                        250-STARTTLS
                                        250 HELP
                                        May 27, 2024 18:34:05.999735117 CEST49706587192.168.2.6185.174.175.187STARTTLS
                                        May 27, 2024 18:34:06.177043915 CEST58749706185.174.175.187192.168.2.6220 TLS go ahead
                                        May 27, 2024 18:34:15.170250893 CEST58749708185.174.175.187192.168.2.6220-cp8nl.hyperhost.ua ESMTP Exim 4.97.1 #2 Mon, 27 May 2024 19:34:15 +0300
                                        220-We do not authorize the use of this system to transport unsolicited,
                                        220 and/or bulk e-mail.
                                        May 27, 2024 18:34:15.170938969 CEST49708587192.168.2.6185.174.175.187EHLO 364339
                                        May 27, 2024 18:34:15.352843046 CEST58749708185.174.175.187192.168.2.6250-cp8nl.hyperhost.ua Hello 364339 [8.46.123.175]
                                        250-SIZE 52428800
                                        250-8BITMIME
                                        250-PIPELINING
                                        250-PIPECONNECT
                                        250-STARTTLS
                                        250 HELP
                                        May 27, 2024 18:34:15.353038073 CEST49708587192.168.2.6185.174.175.187STARTTLS
                                        May 27, 2024 18:34:15.535685062 CEST58749708185.174.175.187192.168.2.6220 TLS go ahead

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:12:33:55
                                        Start date:27/05/2024
                                        Path:C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe"
                                        Imagebase:0x9e0000
                                        File size:906'248 bytes
                                        MD5 hash:6DF3F8880A8B99EA7417F9F06828299D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2150829898.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2150829898.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:12:34:01
                                        Start date:27/05/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.scr.exe"
                                        Imagebase:0xcf0000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:12:34:01
                                        Start date:27/05/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:12:34:01
                                        Start date:27/05/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe"
                                        Imagebase:0xcf0000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:12:34:01
                                        Start date:27/05/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:12:34:02
                                        Start date:27/05/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp6CFF.tmp"
                                        Imagebase:0x920000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:12:34:02
                                        Start date:27/05/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:12:34:02
                                        Start date:27/05/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                        Imagebase:0xef0000
                                        File size:45'984 bytes
                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2228628971.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2228628971.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2230819074.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2230819074.0000000003209000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2230819074.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2230819074.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:12:34:03
                                        Start date:27/05/2024
                                        Path:C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\QXnCjDPniyIC.exe
                                        Imagebase:0xff0000
                                        File size:906'248 bytes
                                        MD5 hash:6DF3F8880A8B99EA7417F9F06828299D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2254353479.0000000004564000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2254353479.0000000004564000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 45%, ReversingLabs
                                        • Detection: 58%, Virustotal, Browse
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:12:34:04
                                        Start date:27/05/2024
                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                        Imagebase:0x7ff717f30000
                                        File size:496'640 bytes
                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                        Has elevated privileges:true
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:12:34:11
                                        Start date:27/05/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QXnCjDPniyIC" /XML "C:\Users\user\AppData\Local\Temp\tmp9279.tmp"
                                        Imagebase:0x920000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:12:34:11
                                        Start date:27/05/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:12:34:12
                                        Start date:27/05/2024
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                        Imagebase:0x740000
                                        File size:45'984 bytes
                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3307561590.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3307561590.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3307561590.0000000002A99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:14%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:129
                                          Total number of Limit Nodes:8
                                          execution_graph 18092 2c48200 18093 2c4824d VirtualProtect 18092->18093 18094 2c482b9 18093->18094 18102 2c4c9b0 18103 2c4c9d7 18102->18103 18104 2c4cab4 18103->18104 18106 2c4c5cc 18103->18106 18107 2c4da68 CreateActCtxA 18106->18107 18109 2c4db6e 18107->18109 18095 99da278 18096 99da403 18095->18096 18097 99da29e 18095->18097 18097->18096 18099 99d9e44 18097->18099 18100 99da550 PostMessageW 18099->18100 18101 99da5fd 18100->18101 18101->18097 18110 99d67a5 18112 99d656c 18110->18112 18111 99d6779 18112->18111 18115 99d8bb0 18112->18115 18130 99d8ba0 18112->18130 18116 99d8bca 18115->18116 18122 99d8bee 18116->18122 18145 99d9403 18116->18145 18150 99d93a3 18116->18150 18154 99d92c0 18116->18154 18159 99d9481 18116->18159 18166 99d9265 18116->18166 18170 99d8fe9 18116->18170 18175 99d9111 18116->18175 18183 99d93f4 18116->18183 18188 99d963a 18116->18188 18192 99d931c 18116->18192 18197 99d97dd 18116->18197 18202 99d9443 18116->18202 18122->18111 18131 99d8bca 18130->18131 18132 99d97dd 2 API calls 18131->18132 18133 99d931c 2 API calls 18131->18133 18134 99d963a 2 API calls 18131->18134 18135 99d8bee 18131->18135 18136 99d93f4 2 API calls 18131->18136 18137 99d9111 4 API calls 18131->18137 18138 99d8fe9 2 API calls 18131->18138 18139 99d9265 2 API calls 18131->18139 18140 99d9481 4 API calls 18131->18140 18141 99d92c0 2 API calls 18131->18141 18142 99d93a3 2 API calls 18131->18142 18143 99d9403 2 API calls 18131->18143 18144 99d9443 2 API calls 18131->18144 18132->18135 18133->18135 18134->18135 18135->18111 18136->18135 18137->18135 18138->18135 18139->18135 18140->18135 18141->18135 18142->18135 18143->18135 18144->18135 18146 99d919e 18145->18146 18147 99d9a3a 18146->18147 18207 99d5cb9 18146->18207 18211 99d5cc0 18146->18211 18151 99d93b0 18150->18151 18215 99d5e18 18151->18215 18219 99d5e10 18151->18219 18155 99d92c3 18154->18155 18156 99d90fc 18155->18156 18157 99d5cb9 WriteProcessMemory 18155->18157 18158 99d5cc0 WriteProcessMemory 18155->18158 18156->18122 18157->18156 18158->18156 18223 99d5b98 18159->18223 18227 99d5ba0 18159->18227 18160 99d9932 18161 99d9261 18161->18122 18161->18160 18164 99d5cb9 WriteProcessMemory 18161->18164 18165 99d5cc0 WriteProcessMemory 18161->18165 18164->18161 18165->18161 18167 99d9272 18166->18167 18231 99d5548 18167->18231 18235 99d5550 18167->18235 18171 99d8ff4 18170->18171 18239 99d603c 18171->18239 18243 99d6048 18171->18243 18176 99d911e 18175->18176 18177 99d9272 18175->18177 18247 99d5a78 18176->18247 18251 99d5a71 18176->18251 18178 99d991f 18177->18178 18179 99d5548 ResumeThread 18177->18179 18180 99d5550 ResumeThread 18177->18180 18179->18177 18180->18177 18184 99d9737 18183->18184 18255 99d9be1 18184->18255 18260 99d9bf0 18184->18260 18185 99d970b 18189 99d94b1 18188->18189 18190 99d5548 ResumeThread 18189->18190 18191 99d5550 ResumeThread 18189->18191 18190->18189 18191->18189 18193 99d932c 18192->18193 18195 99d5cb9 WriteProcessMemory 18193->18195 18196 99d5cc0 WriteProcessMemory 18193->18196 18194 99d934a 18194->18122 18195->18194 18196->18194 18198 99d9261 18197->18198 18198->18122 18199 99d9932 18198->18199 18200 99d5cb9 WriteProcessMemory 18198->18200 18201 99d5cc0 WriteProcessMemory 18198->18201 18199->18199 18200->18198 18201->18198 18204 99d9261 18202->18204 18203 99d9932 18204->18122 18204->18203 18205 99d5cb9 WriteProcessMemory 18204->18205 18206 99d5cc0 WriteProcessMemory 18204->18206 18205->18204 18206->18204 18208 99d5d0c WriteProcessMemory 18207->18208 18210 99d5da5 18208->18210 18210->18146 18212 99d5d0c WriteProcessMemory 18211->18212 18214 99d5da5 18212->18214 18214->18146 18216 99d5e64 ReadProcessMemory 18215->18216 18218 99d5edc 18216->18218 18218->18151 18220 99d5e64 ReadProcessMemory 18219->18220 18222 99d5edc 18220->18222 18222->18151 18224 99d5be4 VirtualAllocEx 18223->18224 18226 99d5c5c 18224->18226 18226->18161 18228 99d5be4 VirtualAllocEx 18227->18228 18230 99d5c5c 18228->18230 18230->18161 18232 99d5594 ResumeThread 18231->18232 18234 99d55e0 18232->18234 18234->18167 18236 99d5594 ResumeThread 18235->18236 18238 99d55e0 18236->18238 18238->18167 18240 99d60cf CreateProcessA 18239->18240 18242 99d6324 18240->18242 18244 99d60cf CreateProcessA 18243->18244 18246 99d6324 18244->18246 18248 99d5ac1 Wow64SetThreadContext 18247->18248 18250 99d5b39 18248->18250 18250->18177 18252 99d5ac1 Wow64SetThreadContext 18251->18252 18254 99d5b39 18252->18254 18254->18177 18256 99d9c05 18255->18256 18258 99d5a78 Wow64SetThreadContext 18256->18258 18259 99d5a71 Wow64SetThreadContext 18256->18259 18257 99d9c1b 18257->18185 18258->18257 18259->18257 18261 99d9c05 18260->18261 18263 99d5a78 Wow64SetThreadContext 18261->18263 18264 99d5a71 Wow64SetThreadContext 18261->18264 18262 99d9c1b 18262->18185 18263->18262 18264->18262

                                          Executed Functions

                                          Function 02C434A0 Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 2c434a0-2c434c5 1 2c434c7 0->1 2 2c434cc-2c434e9 0->2 1->2 3 2c434f1 2->3 4 2c434f8-2c43514 3->4 5 2c43516 4->5 6 2c4351d-2c4351e 4->6 5->3 5->6 7 2c43704-2c43711 5->7 8 2c43564-2c43570 5->8 9 2c437a4-2c437a8 5->9 10 2c436c0-2c436d2 5->10 11 2c435e2-2c435fb call 2c43a40 5->11 12 2c43642-2c4364e 5->12 13 2c43523-2c43535 5->13 14 2c43808-2c43811 5->14 15 2c435c8-2c435dd 5->15 16 2c43788-2c4379f 5->16 17 2c437d4-2c437e0 5->17 18 2c43854-2c43883 5->18 19 2c43716-2c4372d 5->19 20 2c43537-2c4353b 5->20 21 2c436d7-2c436e3 5->21 22 2c43732-2c4374a 5->22 23 2c43693-2c4369f 5->23 24 2c4383d-2c4384f 5->24 25 2c43598-2c4359c 5->25 26 2c43618-2c43620 call 2c43e00 5->26 6->18 7->4 27 2c43577-2c43593 8->27 28 2c43572 8->28 39 2c437aa-2c437b9 9->39 40 2c437bb-2c437c2 9->40 10->4 50 2c43601-2c43613 11->50 37 2c43655-2c4366b 12->37 38 2c43650 12->38 13->4 29 2c43824-2c4382b 14->29 30 2c43813-2c43822 14->30 15->4 16->4 41 2c437e7-2c43803 17->41 42 2c437e2 17->42 19->4 43 2c4353d-2c4354c 20->43 44 2c4354e-2c43555 20->44 31 2c436e5 21->31 32 2c436ea-2c436ff 21->32 35 2c43751-2c43767 22->35 36 2c4374c 22->36 45 2c436a6-2c436bb 23->45 46 2c436a1 23->46 24->4 33 2c4359e-2c435ad 25->33 34 2c435af-2c435b6 25->34 51 2c43626-2c4363d 26->51 27->4 28->27 47 2c43832-2c43838 29->47 30->47 31->32 32->4 49 2c435bd-2c435c3 33->49 34->49 61 2c4376e-2c43783 35->61 62 2c43769 35->62 36->35 63 2c43672-2c4368e 37->63 64 2c4366d 37->64 38->37 52 2c437c9-2c437cf 39->52 40->52 41->4 42->41 53 2c4355c-2c43562 43->53 44->53 45->4 46->45 47->4 49->4 50->4 51->4 52->4 53->4 61->4 62->61 63->4 64->63
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: hi2$hi2
                                          • API String ID: 0-2057508920
                                          • Opcode ID: 49fc5e74d1366b51f712a4f2258b514dd8219daf4e75f6c33b57c06d25c15856
                                          • Instruction ID: 63078b9c8c799c645c3e6a0132b951f122c7473551fd0297c465fbc6dfa3655a
                                          • Opcode Fuzzy Hash: 49fc5e74d1366b51f712a4f2258b514dd8219daf4e75f6c33b57c06d25c15856
                                          • Instruction Fuzzy Hash: 58C15B70E0024ADFCB05CF9AC5819AEFBB2FF89340F649599D516AB214D734DA42CFA4
                                          Function 099DB318 Relevance: .4, Instructions: 402COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c140d35ba1559a14acc0d67898ffa28e97e86f81b5199fccfd48ad063a3f89f3
                                          • Instruction ID: 91a9403ddde80a19fd4ac7b4cf90df0566c615d95f447a9141b90e01828a113f
                                          • Opcode Fuzzy Hash: c140d35ba1559a14acc0d67898ffa28e97e86f81b5199fccfd48ad063a3f89f3
                                          • Instruction Fuzzy Hash: D3E19C717026048FDB29DF75C4A0BAEBBFAAF88740F15846DE1469B690CF35E901CB91
                                          Function 02C43453 Relevance: .3, Instructions: 300COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d7f09710d70359e4321b43efc3e9c983a0c3b0616c6ddc0ab00cb9d4be9f8abd
                                          • Instruction ID: 8cb2b41903978d4d10e0573da730939a622f01d5a0241bfc956896a1cc3c9b48
                                          • Opcode Fuzzy Hash: d7f09710d70359e4321b43efc3e9c983a0c3b0616c6ddc0ab00cb9d4be9f8abd
                                          • Instruction Fuzzy Hash: 54D18C70E0025ADFCB05CFAAC5819AFFBB2FF89300B649595C412AB255D734D942CF94
                                          Function 02C43432 Relevance: .3, Instructions: 292COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad7c186ef82818447bdc7ecac1e1aab831a7c10db5453cc7e8432529f55cee3f
                                          • Instruction ID: dec84ab6dfd0b423af2303794ef2ed96a8868fd3fce18960da7ac7fcec8152f3
                                          • Opcode Fuzzy Hash: ad7c186ef82818447bdc7ecac1e1aab831a7c10db5453cc7e8432529f55cee3f
                                          • Instruction Fuzzy Hash: 3CD18B70E0425ADFCB05CFAAC4819AFFBB2FF89310B649595C412AB255D734E942CF94
                                          Function 02C41329 Relevance: .2, Instructions: 238COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 82be7a33b1fd769f551325eda8f30bcf8abd94f1b794b0c734ca976f019acbb0
                                          • Instruction ID: 4e67841e16aab4d8744b91d0f51bc9f561b190dfd336d8ccc0f29084433c61d4
                                          • Opcode Fuzzy Hash: 82be7a33b1fd769f551325eda8f30bcf8abd94f1b794b0c734ca976f019acbb0
                                          • Instruction Fuzzy Hash: 0EA13574E042598FCB04CFAAC8846DEFBF2FF89310F24856AC505AB255DB74994ACF50
                                          Function 02C41380 Relevance: .2, Instructions: 195COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68314f11921cb2ca1dbe107785556902b6803c43dfa5f057ef2679a066362f35
                                          • Instruction ID: 7bea51bfc28f2ee5b8f8c4e6075643cd0e98c4a6d64606a7b5d24796d649cd03
                                          • Opcode Fuzzy Hash: 68314f11921cb2ca1dbe107785556902b6803c43dfa5f057ef2679a066362f35
                                          • Instruction Fuzzy Hash: 6181A374E006198FDB08CFAAC984ADEFBB2BF88310F14942AD519BB354DB749946CF54
                                          Function 02C40871 Relevance: .1, Instructions: 142COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d72cdb193aab078e05ca4f247273b8cc1e28a5942b5872a81246fee278378c1d
                                          • Instruction ID: 5a035c3f6c64c1aec40748bb49ad3737b30e476564b69ef622a656678378a800
                                          • Opcode Fuzzy Hash: d72cdb193aab078e05ca4f247273b8cc1e28a5942b5872a81246fee278378c1d
                                          • Instruction Fuzzy Hash: 0D51E974E01618CFEB58CFAAD94079EFBB2BF89300F14C5A9C549A7215DB309A85CF52
                                          Function 02C41BF8 Relevance: .1, Instructions: 134COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 60f9fd17f2f9e8894d431e1429eefc65e69c7ee27baf1bb3ddd2a39ce12060e9
                                          • Instruction ID: 8525903b403637cc6a01aa8f677a31b1d5766bcbb7f1336e03d94aec0a201423
                                          • Opcode Fuzzy Hash: 60f9fd17f2f9e8894d431e1429eefc65e69c7ee27baf1bb3ddd2a39ce12060e9
                                          • Instruction Fuzzy Hash: AB513AB4E046598FDB08CFAAC8446AEFBF2FF89300F18C16AD459A7255D7744A42CF54
                                          Function 02C425E8 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1a0c1cf5cdd4562c082ade6dd46f11553a5c3bd07777a93f06ff46a58a3f50ce
                                          • Instruction ID: 8001c0d4a02235f3bb04cd93ce2334ed76d298d973da6ab7f6681eee0c8e38d1
                                          • Opcode Fuzzy Hash: 1a0c1cf5cdd4562c082ade6dd46f11553a5c3bd07777a93f06ff46a58a3f50ce
                                          • Instruction Fuzzy Hash: DC311A71E006588BDB18CFA6D8446DEBBF6BFC9310F14C16AD509A7258EB315A45CF50
                                          Function 099D9215 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 62a67d1cb63790d29d6bebf117943b616a546748a26bfb923ee379e25ec7b402
                                          • Instruction ID: 95cd1d8d13885b5152d857571bfbbd222837cc794c2c5b2011f03a45fdceb82d
                                          • Opcode Fuzzy Hash: 62a67d1cb63790d29d6bebf117943b616a546748a26bfb923ee379e25ec7b402
                                          • Instruction Fuzzy Hash: EEC08C1FE8F000D7DA013AC8B0900F8A73C87CB2A6F04B8B3D20EE3102C00482190158
                                          Function 099D603C Relevance: 1.8, APIs: 1, Instructions: 326processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 70 99d603c-99d60e1 72 99d612a-99d6152 70->72 73 99d60e3-99d60fa 70->73 76 99d6198-99d61ee 72->76 77 99d6154-99d6168 72->77 73->72 78 99d60fc-99d6101 73->78 86 99d6234-99d6322 CreateProcessA 76->86 87 99d61f0-99d6204 76->87 77->76 88 99d616a-99d616f 77->88 79 99d6124-99d6127 78->79 80 99d6103-99d610d 78->80 79->72 81 99d610f 80->81 82 99d6111-99d6120 80->82 81->82 82->82 85 99d6122 82->85 85->79 106 99d632b-99d6410 86->106 107 99d6324-99d632a 86->107 87->86 95 99d6206-99d620b 87->95 89 99d6171-99d617b 88->89 90 99d6192-99d6195 88->90 92 99d617d 89->92 93 99d617f-99d618e 89->93 90->76 92->93 93->93 96 99d6190 93->96 98 99d620d-99d6217 95->98 99 99d622e-99d6231 95->99 96->90 100 99d6219 98->100 101 99d621b-99d622a 98->101 99->86 100->101 101->101 103 99d622c 101->103 103->99 119 99d6420-99d6424 106->119 120 99d6412-99d6416 106->120 107->106 121 99d6434-99d6438 119->121 122 99d6426-99d642a 119->122 120->119 123 99d6418 120->123 125 99d6448-99d644c 121->125 126 99d643a-99d643e 121->126 122->121 124 99d642c 122->124 123->119 124->121 128 99d644e-99d6477 125->128 129 99d6482-99d648d 125->129 126->125 127 99d6440 126->127 127->125 128->129 132 99d648e 129->132 132->132
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 099D630F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 57c25acacb05fbb6099b0e4c4a596bc8cae88426d302ba35ee02af7aa835c22f
                                          • Instruction ID: 0147bb7c0c9df9ad2cde5450014b5dd7c636778375d5b4924ace82f62603ae08
                                          • Opcode Fuzzy Hash: 57c25acacb05fbb6099b0e4c4a596bc8cae88426d302ba35ee02af7aa835c22f
                                          • Instruction Fuzzy Hash: 05C11570D012298FDF20CFA8C881BEDBBB1BF49304F1095A9E949B7250DB749A85CF95
                                          Function 099D6048 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 134 99d6048-99d60e1 136 99d612a-99d6152 134->136 137 99d60e3-99d60fa 134->137 140 99d6198-99d61ee 136->140 141 99d6154-99d6168 136->141 137->136 142 99d60fc-99d6101 137->142 150 99d6234-99d6322 CreateProcessA 140->150 151 99d61f0-99d6204 140->151 141->140 152 99d616a-99d616f 141->152 143 99d6124-99d6127 142->143 144 99d6103-99d610d 142->144 143->136 145 99d610f 144->145 146 99d6111-99d6120 144->146 145->146 146->146 149 99d6122 146->149 149->143 170 99d632b-99d6410 150->170 171 99d6324-99d632a 150->171 151->150 159 99d6206-99d620b 151->159 153 99d6171-99d617b 152->153 154 99d6192-99d6195 152->154 156 99d617d 153->156 157 99d617f-99d618e 153->157 154->140 156->157 157->157 160 99d6190 157->160 162 99d620d-99d6217 159->162 163 99d622e-99d6231 159->163 160->154 164 99d6219 162->164 165 99d621b-99d622a 162->165 163->150 164->165 165->165 167 99d622c 165->167 167->163 183 99d6420-99d6424 170->183 184 99d6412-99d6416 170->184 171->170 185 99d6434-99d6438 183->185 186 99d6426-99d642a 183->186 184->183 187 99d6418 184->187 189 99d6448-99d644c 185->189 190 99d643a-99d643e 185->190 186->185 188 99d642c 186->188 187->183 188->185 192 99d644e-99d6477 189->192 193 99d6482-99d648d 189->193 190->189 191 99d6440 190->191 191->189 192->193 196 99d648e 193->196 196->196
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 099D630F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: fe9ef08c573f93ffd29e456fbd0925bfc849b21fef21f3080b0b8100211a4165
                                          • Instruction ID: 4a4cb815ab447f413c7450b7f6b1c1a4c3c65c04f57e1d8222602bd08c168665
                                          • Opcode Fuzzy Hash: fe9ef08c573f93ffd29e456fbd0925bfc849b21fef21f3080b0b8100211a4165
                                          • Instruction Fuzzy Hash: 54C11470D012298FDF20CFA8C881BEDBBB5BB49304F0095A9E949B7240DB749A85CF95
                                          Function 02C4C5CC Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 198 2c4c5cc-2c4db6c CreateActCtxA 203 2c4db75-2c4dbfa 198->203 204 2c4db6e-2c4db74 198->204 213 2c4dc27-2c4dc2f 203->213 214 2c4dbfc-2c4dc1f 203->214 204->203 214->213
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 02C4DB59
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 92e7ae0df8095a4c09845ed5000025ba9726fce6a40f6c709694e9647b6cc82c
                                          • Instruction ID: 6f4bfb0b6f24396ae9e809cd958149e18c011503a50c3fccb07fd4a22bb5e9de
                                          • Opcode Fuzzy Hash: 92e7ae0df8095a4c09845ed5000025ba9726fce6a40f6c709694e9647b6cc82c
                                          • Instruction Fuzzy Hash: 5D51D271D0021DCFDB21DFA9C980B9EBBF5AF49300F1094AAD509AB251DB716A89CF91
                                          Function 099D5CB9 Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 218 99d5cb9-99d5d2b 220 99d5d2d-99d5d3f 218->220 221 99d5d42-99d5da3 WriteProcessMemory 218->221 220->221 223 99d5dac-99d5dfe 221->223 224 99d5da5-99d5dab 221->224 224->223
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 099D5D93
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: eb6ba1f6c7eafa609f1e206af471afb80712791425057b968e52df068bcde6c0
                                          • Instruction ID: 598ca1c636be8249e543e2295a5c33ec7edad7453d9ddd4882cf74a54f031ce9
                                          • Opcode Fuzzy Hash: eb6ba1f6c7eafa609f1e206af471afb80712791425057b968e52df068bcde6c0
                                          • Instruction Fuzzy Hash: E741B8B4D012599FCF00CFA9D984AEEFBF1BB49310F20902AE818B7210C334AA01CF64
                                          Function 099D5CC0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 229 99d5cc0-99d5d2b 231 99d5d2d-99d5d3f 229->231 232 99d5d42-99d5da3 WriteProcessMemory 229->232 231->232 234 99d5dac-99d5dfe 232->234 235 99d5da5-99d5dab 232->235 235->234
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 099D5D93
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: baa71c64abec4b958259e8b8c4a71b053e214a626d8209431a6635678931765a
                                          • Instruction ID: 49ccbe2815f19e4d9a19883bd907bbd329d47be8453be922a3c63e4a95b3a549
                                          • Opcode Fuzzy Hash: baa71c64abec4b958259e8b8c4a71b053e214a626d8209431a6635678931765a
                                          • Instruction Fuzzy Hash: 4741A9B5D012589FDF00CFA9D984ADEFBF1BB49310F20902AE818B7200D775AA41CF64
                                          Function 099D5E10 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 240 99d5e10-99d5eda ReadProcessMemory 243 99d5edc-99d5ee2 240->243 244 99d5ee3-99d5f35 240->244 243->244
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 099D5ECA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 4b10de169220e2d60f628614f1a8537b8184531106b4f560e2dd2b92afd6a6b1
                                          • Instruction ID: 57a9e1d2bdb0546ade378b82c77b6e9a31f17dc07a95825e04b952ad1b258bb7
                                          • Opcode Fuzzy Hash: 4b10de169220e2d60f628614f1a8537b8184531106b4f560e2dd2b92afd6a6b1
                                          • Instruction Fuzzy Hash: 8841B8B5D00258DFCF10CFAAD980AEEFBB1BB49310F10A42AE815B7210C775A941CF69
                                          Function 099D5E18 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 249 99d5e18-99d5eda ReadProcessMemory 252 99d5edc-99d5ee2 249->252 253 99d5ee3-99d5f35 249->253 252->253
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 099D5ECA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 07bda47148b226230f2ee00e2d11fd33cbf9fdbd927b9a50251b452ab0bdf47f
                                          • Instruction ID: b915c893fd1511a2065443f3dadb4dc036ffb6fa36ced7c1ea25c3d94ecee31c
                                          • Opcode Fuzzy Hash: 07bda47148b226230f2ee00e2d11fd33cbf9fdbd927b9a50251b452ab0bdf47f
                                          • Instruction Fuzzy Hash: BC41A9B5D00259DFCF10CFAAD880AEEFBB1BB49310F10A42AE815B7200D775A945CF69
                                          Function 099D5B98 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 258 99d5b98-99d5c5a VirtualAllocEx 261 99d5c5c-99d5c62 258->261 262 99d5c63-99d5cad 258->262 261->262
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 099D5C4A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 50a2c82f1ab5f5e58e43eb0f5a47de307c4847b0e93cff2c04df1273a0e9265e
                                          • Instruction ID: 02c868c071518d800007bad3bc92c7a9d6a4a864386f04cf681640630346dac8
                                          • Opcode Fuzzy Hash: 50a2c82f1ab5f5e58e43eb0f5a47de307c4847b0e93cff2c04df1273a0e9265e
                                          • Instruction Fuzzy Hash: 2B41A7B8D00259DFCF14CFA9D980ADEFBB1BB49310F10A42AE815B7210D775A902CF55
                                          Function 099D5BA0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 267 99d5ba0-99d5c5a VirtualAllocEx 270 99d5c5c-99d5c62 267->270 271 99d5c63-99d5cad 267->271 270->271
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 099D5C4A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 1818c54ce2461dfb2092b246cd9c9262fe239941461ad43feccb87104bbfd139
                                          • Instruction ID: 26ffce9bffae40c4fe3aed621f2ba074ccaec76a779dd8009a33317e6fdcd3c0
                                          • Opcode Fuzzy Hash: 1818c54ce2461dfb2092b246cd9c9262fe239941461ad43feccb87104bbfd139
                                          • Instruction Fuzzy Hash: 7331A6B9D01258DFCF10CFA9D980ADEFBB1BB49320F10A42AE815B7210D775A901CF69
                                          Function 02C481F8 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 276 2c481f8-2c482b7 VirtualProtect 279 2c482c0-2c482fc 276->279 280 2c482b9-2c482bf 276->280 280->279
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02C482A7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: e53d499739928536f99aba794193284d2a6027754effd66af3f90bf6a8ba9d72
                                          • Instruction ID: f83305ebb9d00bb98c70bc07a7803f7783a9fa4aa52bc2ead6f7f5aa00c3aa8d
                                          • Opcode Fuzzy Hash: e53d499739928536f99aba794193284d2a6027754effd66af3f90bf6a8ba9d72
                                          • Instruction Fuzzy Hash: A0318BB5D04258DFCB10CFA9D984ADEFBB1BF49310F24A06AE814B7210D775A945CF64
                                          Function 099D5A71 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 283 99d5a71-99d5ad8 285 99d5aef-99d5b37 Wow64SetThreadContext 283->285 286 99d5ada-99d5aec 283->286 288 99d5b39-99d5b3f 285->288 289 99d5b40-99d5b8c 285->289 286->285 288->289
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 099D5B27
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 51d14fd7d7d5b5af4c4585350cf4fff01df78f72266a938e941c2766783184b4
                                          • Instruction ID: 536cdfe0d55bc22b1475de7e9605feb17d2f5ca7f7af10ae9dbd6c8fb2815d83
                                          • Opcode Fuzzy Hash: 51d14fd7d7d5b5af4c4585350cf4fff01df78f72266a938e941c2766783184b4
                                          • Instruction Fuzzy Hash: 5441B8B4D012599FDB14CFAAD885AEEFBF0BF48310F24802AE409B7250D778A945CF54
                                          Function 099D5A78 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 300 99d5a78-99d5ad8 302 99d5aef-99d5b37 Wow64SetThreadContext 300->302 303 99d5ada-99d5aec 300->303 305 99d5b39-99d5b3f 302->305 306 99d5b40-99d5b8c 302->306 303->302 305->306
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 099D5B27
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 863e5745fbd79111462dd671dca8281c5d406c3f113f5c828fa7544fb687c548
                                          • Instruction ID: 5d3576a32fb63a61e5f62d250d5a345dbd9ee93db65f3f32a8db6007a9835830
                                          • Opcode Fuzzy Hash: 863e5745fbd79111462dd671dca8281c5d406c3f113f5c828fa7544fb687c548
                                          • Instruction Fuzzy Hash: 2F31A8B5D012589FDB10CFAAD884AAEFBF1BB48310F24902AE419B7240D778A945CF64
                                          Function 02C48200 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 294 2c48200-2c482b7 VirtualProtect 296 2c482c0-2c482fc 294->296 297 2c482b9-2c482bf 294->297 297->296
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02C482A7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 27a0b7296a01112f43b8cb7810c2e57875fa74117ebab3632de4fdce664d9e3d
                                          • Instruction ID: 38904fa8d88f5340e1532c1467c872ede06f60c71bb553ad1c866e557321d12a
                                          • Opcode Fuzzy Hash: 27a0b7296a01112f43b8cb7810c2e57875fa74117ebab3632de4fdce664d9e3d
                                          • Instruction Fuzzy Hash: 573178B9D042589FCF10CFAAD984ADEFBB1BB49310F24A02AE814B7210D775A945CF64
                                          Function 099DA548 Relevance: 1.6, APIs: 1, Instructions: 89windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 311 99da548-99da5fb PostMessageW 312 99da5fd-99da603 311->312 313 99da604-99da636 311->313 312->313
                                          APIs
                                          • PostMessageW.USER32(?,?,?,00000000), ref: 099DA5EB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: e8ffc2c208b42d583bcf3abe617735c25f6f448db2e1219c5e554b2fd99a8a2c
                                          • Instruction ID: bc0d1fb1e4ab8d4b3cb4c05ddec6d3b5ba3d237c658837b09d4c3c54ab69cdc7
                                          • Opcode Fuzzy Hash: e8ffc2c208b42d583bcf3abe617735c25f6f448db2e1219c5e554b2fd99a8a2c
                                          • Instruction Fuzzy Hash: 5C3177B9D01258DFCB14CFA9E584A9EFBF4BB49310F24902AE819BB320D375A945CF54
                                          Function 099D9E44 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,?,?,00000000), ref: 099DA5EB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: ffc29a4294f60da0dbfe3640e379110e70c74a7c54d60bdf4c8f6ec57374a722
                                          • Instruction ID: 21859361a0959c31a5acdaf51bf5eefa391ac2ec63f9088501cb49757a53eeee
                                          • Opcode Fuzzy Hash: ffc29a4294f60da0dbfe3640e379110e70c74a7c54d60bdf4c8f6ec57374a722
                                          • Instruction Fuzzy Hash: 543177B9D05248DFCB10CF99E584A9EFBF4AB09310F14901AE818B7310D375A955CFA4
                                          Function 099D5548 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 099D55CE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 3ac19ab43a83c4eb220e05a1f0b16ff2cb68e3285a4c9fad0d7be386fc38ee8c
                                          • Instruction ID: 91135f581f0351a527973dfe266cddd836d17181931d38958682f09c9d1c228a
                                          • Opcode Fuzzy Hash: 3ac19ab43a83c4eb220e05a1f0b16ff2cb68e3285a4c9fad0d7be386fc38ee8c
                                          • Instruction Fuzzy Hash: B731D8B4D012499FDF14CFA9D981AEEFBB0AF48320F24942AE815B7200DB75A901CF94
                                          Function 099D5550 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 099D55CE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: ec9ec88f96b13232402ea9f0345b8de7e1d81e3dd75ec4c159499d7fa41eff57
                                          • Instruction ID: 2ff2d1ef43f8e23a3a078a1ecf7369ec91aa31be776f6bd51a519657c0e017a5
                                          • Opcode Fuzzy Hash: ec9ec88f96b13232402ea9f0345b8de7e1d81e3dd75ec4c159499d7fa41eff57
                                          • Instruction Fuzzy Hash: 6531CAB4D012599FDF10CFAAD980AAEFBB5BF48320F10942AE815B7300DB75A901CF94
                                          Function 013AD4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2148701983.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_13ad000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc5a1ea1bf6709a8b34b7c2b797d83e4a5437236227bbb66d6c651ef549e6eb6
                                          • Instruction ID: 2b99b2f58f20a4d212824802ab132c299c43141573e9e58b83f0b908d7d229e2
                                          • Opcode Fuzzy Hash: cc5a1ea1bf6709a8b34b7c2b797d83e4a5437236227bbb66d6c651ef549e6eb6
                                          • Instruction Fuzzy Hash: 642145B2500244EFDB05DF54D9C0B2ABF65FB8831CF60C56DE9490BA56C336D416CBA1
                                          Function 013BD01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2148738909.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_13bd000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8ada6b647c3b74e8c705a4055ca7038b2d9c0134b42c7b03946c0f81b6ff7d7f
                                          • Instruction ID: 005f918d7fa232a603062802756ca2091472a994ee87d41631a7e24f5bff3ad3
                                          • Opcode Fuzzy Hash: 8ada6b647c3b74e8c705a4055ca7038b2d9c0134b42c7b03946c0f81b6ff7d7f
                                          • Instruction Fuzzy Hash: FF214275604204EFCB14DF58D9C0B26BF65FB8831CF20C56DDA0A0BA52D33AC407CA61
                                          Function 013BD006 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2148738909.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_13bd000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d668ad8c30f14396d97fa6f47290e4fe53db0b74b6d52b4b46f8d12462d50c3b
                                          • Instruction ID: 14eee865217b42fcdc54dc3e6cb11dd711a97bb7979ccc67df67aff1f50a787f
                                          • Opcode Fuzzy Hash: d668ad8c30f14396d97fa6f47290e4fe53db0b74b6d52b4b46f8d12462d50c3b
                                          • Instruction Fuzzy Hash: A521B0754083809FCB02CF24D9D4B11BF71EB46218F28C5DAD9498F6A7C33AD806CB62
                                          Function 013AD4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2148701983.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_13ad000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                          • Instruction ID: 07bc2408bdf9bed2d0c22168070b5ee1eaba317ae3c9fde1b44e4fce7fd58dbd
                                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                          • Instruction Fuzzy Hash: 6811E676504284CFCB16CF54D5C4B1ABF71FB84318F24C6A9D8490B657C33AD456CBA1
                                          Function 013AD759 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2148701983.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_13ad000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 85c896149c4e5a8f306ee76e19e285f209be8bbf81d605f746fe8a5d1ef379cf
                                          • Instruction ID: 969bee4f58bce071b83ff4d7b9ed8546d59e43118987df627e0eed9e7b1ce835
                                          • Opcode Fuzzy Hash: 85c896149c4e5a8f306ee76e19e285f209be8bbf81d605f746fe8a5d1ef379cf
                                          • Instruction Fuzzy Hash: 61012B71004384DAF7184FA9CD84B67FFACDF41328F58C41AEE090AA96C77A9440C671
                                          Function 013AD758 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2148701983.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_13ad000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7643e842ed64db89b6293c01d609cc6eacd3ac4ad58bc698fddd129c15bc09a9
                                          • Instruction ID: bcc41b9c0c8a7bfeb534e765546e18c49920221564f020a061fc40354f9785a5
                                          • Opcode Fuzzy Hash: 7643e842ed64db89b6293c01d609cc6eacd3ac4ad58bc698fddd129c15bc09a9
                                          • Instruction Fuzzy Hash: 58F068714053449EE7158E59DD84762FFA8EF41638F14C45AED094A686C379A844CB71

                                          Non-executed Functions

                                          Function 02C442E0 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ;q7`$;q7`
                                          • API String ID: 0-3561650758
                                          • Opcode ID: 7765916af388f340fc4ed5075bd770afe8396b9d0aef80870230c5afae5ae8a1
                                          • Instruction ID: 3329c2f2339995e8fa88d3237d36edac7ae1ce35681430a6dfe8a186449b333a
                                          • Opcode Fuzzy Hash: 7765916af388f340fc4ed5075bd770afe8396b9d0aef80870230c5afae5ae8a1
                                          • Instruction Fuzzy Hash: 7181E174A00219CFCB14CFAAD584A9EFBF1FF88311F249569E419AB320D734AA42CF55
                                          Function 02C442D0 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ;q7`$;q7`
                                          • API String ID: 0-3561650758
                                          • Opcode ID: fb320eebfde719fdce6c791612df98b8725b61065a09e77b84e4935239248616
                                          • Instruction ID: fb6b74e40c254c991449fff975b1e524d495b7b96985cf08e2223aa5eaaa455d
                                          • Opcode Fuzzy Hash: fb320eebfde719fdce6c791612df98b8725b61065a09e77b84e4935239248616
                                          • Instruction Fuzzy Hash: 9B71E474A00219CFCB14CFAAD584A9EBBF1FF48310F249569E419AB220D734AA42CF51
                                          Function 099D3068 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b633ac6551b73e0ffb74a9f024b2360f799383fad047b57600e04d684c4676e5
                                          • Instruction ID: 4e51eb19f8b6bbd947dfb63c42465054a74d3c9d584e2bcbad0bc3701295b0fd
                                          • Opcode Fuzzy Hash: b633ac6551b73e0ffb74a9f024b2360f799383fad047b57600e04d684c4676e5
                                          • Instruction Fuzzy Hash: 39E10974E0025A8FCB14DFA9C581AAEFBB2FF49305F248269D455A7355C730AD42CFA1
                                          Function 099D349A Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b65fbc9bdaf7f1255426dae5be4efa5ec83a6a30267c8fb0e69053fbb9c740f4
                                          • Instruction ID: 5584b75b45f6931f34d8411fe581afa41deca6d702e9d3308a050b1a3376d4d1
                                          • Opcode Fuzzy Hash: b65fbc9bdaf7f1255426dae5be4efa5ec83a6a30267c8fb0e69053fbb9c740f4
                                          • Instruction Fuzzy Hash: 65E11874E002598FDB14DFA9C581AAEFBB2FF88305F248269D415AB355D730AD42CFA1
                                          Function 099D4CA8 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d641262dfc264eb71f0c69ca2877f5b3b92a302967beb20167613c861319c279
                                          • Instruction ID: 8bc074c4ba4b8f434954b39fba665ce265ead2f29cd08cf9e66ee4473c6f9e9e
                                          • Opcode Fuzzy Hash: d641262dfc264eb71f0c69ca2877f5b3b92a302967beb20167613c861319c279
                                          • Instruction Fuzzy Hash: D9E10974E002598FDB14DFA9C580AAEBBB2FF89304F24C259E455AB355D730AD42CFA1
                                          Function 099D2C30 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4da59155d2717d97dc7f34641b5827d4c2768c24c5999d914071a37cc4023d1e
                                          • Instruction ID: a3bd87bc2ed0320a3aa20b8410c72734bb706c563312afafca96c61ce31f9173
                                          • Opcode Fuzzy Hash: 4da59155d2717d97dc7f34641b5827d4c2768c24c5999d914071a37cc4023d1e
                                          • Instruction Fuzzy Hash: 4CE1F774E002598FDB14DFA9C580AAEFBB2FF89304F248269D415AB355D731AD42CFA1
                                          Function 099D5640 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 58907b534312ac05d70c05b05d6cadcf0bd7c31d68ff62a7f6fe0e0f0361c18d
                                          • Instruction ID: 9d3895c41bee17f915aeb5cfef0ff156542ba1d0a3a9f28d4dceeed44e800ff9
                                          • Opcode Fuzzy Hash: 58907b534312ac05d70c05b05d6cadcf0bd7c31d68ff62a7f6fe0e0f0361c18d
                                          • Instruction Fuzzy Hash: 14E1F874E00259CFDB14DF99C580AAEBBB2FF88305F248269E455AB355D730AD42CFA1
                                          Function 02C41638 Relevance: .3, Instructions: 252COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6fe8e0ae8eda112ef6127a4b226a4be80f947da9615782e35ce7ff1f785f2fd1
                                          • Instruction ID: 6631e1619082319dfd148741e464d05b9ec0cb3e7d2a11d8ddf9d42c5193ffe8
                                          • Opcode Fuzzy Hash: 6fe8e0ae8eda112ef6127a4b226a4be80f947da9615782e35ce7ff1f785f2fd1
                                          • Instruction Fuzzy Hash: 3BB12E74E0021ACFDB44DFA9D980ADEBBB2FF88304F149619D519AB355EB70A945CF80
                                          Function 02C456D1 Relevance: .2, Instructions: 162COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50011f0257d6d70fb6f596cb5db5d36f096cabc0bb5d47dcffaac665d1ec06f4
                                          • Instruction ID: 14801a42cbe4f5bca73c21d91e20d44580adcbddb6f9b7c1a981cdf86453a990
                                          • Opcode Fuzzy Hash: 50011f0257d6d70fb6f596cb5db5d36f096cabc0bb5d47dcffaac665d1ec06f4
                                          • Instruction Fuzzy Hash: 6C61F374E15609CFCB08CFAAC5809DEFBF2FF89250F64946AD415B7224D7349A42CB64
                                          Function 02C456E0 Relevance: .2, Instructions: 161COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c8a9ad254965b1e505acafb874e58fefd75a99a177b6ff05983ba5b613eb92d7
                                          • Instruction ID: 8b1f16c31d3f1cb639562e2ed51f2f356a7da65ba68723fdf53e4433ffb4f664
                                          • Opcode Fuzzy Hash: c8a9ad254965b1e505acafb874e58fefd75a99a177b6ff05983ba5b613eb92d7
                                          • Instruction Fuzzy Hash: 0F61E274E15609DFCB08CFAAC5809DEFBF2FF89250F64942AD415B7214D7349A41CB64
                                          Function 099D2C18 Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2157853256.00000000099D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 099D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_99d0000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff81d822d17a4b890f3984242d04a6da04c8dce26702d6af4b097ee6b60887ce
                                          • Instruction ID: 95bab069e9dfeb01904d9c756911e7b1c3350dad248710c23556387de4dd1767
                                          • Opcode Fuzzy Hash: ff81d822d17a4b890f3984242d04a6da04c8dce26702d6af4b097ee6b60887ce
                                          • Instruction Fuzzy Hash: E8511674E002598BDB14CFA9C5806AEBBB2FF89304F24C66AD418AB355D7319D42CFA0
                                          Function 02C45929 Relevance: .1, Instructions: 123COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 58b3b25bf254bb5587f189382ee41789aa769f89e47125fdfecd9361c4a846c4
                                          • Instruction ID: a09146dbca156c08bb03f6a740ee22d322d2c1aac7f256413f5895c66d54c7f6
                                          • Opcode Fuzzy Hash: 58b3b25bf254bb5587f189382ee41789aa769f89e47125fdfecd9361c4a846c4
                                          • Instruction Fuzzy Hash: 405139B1E0524A8FCB08CFAAC5805AEFBF2FF99350F64D56AC405A7254D7309A42CF95
                                          Function 02C45938 Relevance: .1, Instructions: 120COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5cfc1de4e330f7e2769932f49e53c944c28694ea35364f59ae8f399a1df720a3
                                          • Instruction ID: d6880fd748fc6e4b2971523bc3072a962b516a73bdf22ca52224bb34164784ba
                                          • Opcode Fuzzy Hash: 5cfc1de4e330f7e2769932f49e53c944c28694ea35364f59ae8f399a1df720a3
                                          • Instruction Fuzzy Hash: 0F5106B1E0520A9FCB08CFAAC5815AEFBF2FB98350F64956AC405B7214D7309A42CF95
                                          Function 02C45B40 Relevance: .1, Instructions: 113COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5c2c81c88a328da063c2e47f5ddcc9c53deccaa6283e118cd2a7dd6813037263
                                          • Instruction ID: 91e3083a3d7fb8c68c57db811445d4efb2e8db491e632e85e08b33b8a6bfbfd8
                                          • Opcode Fuzzy Hash: 5c2c81c88a328da063c2e47f5ddcc9c53deccaa6283e118cd2a7dd6813037263
                                          • Instruction Fuzzy Hash: 91415D71E056588BEB18CF6B8D4479EFBF3AFC9300F14C1BA850DA6255EB3019858F11
                                          Function 02C454C1 Relevance: .1, Instructions: 103COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff4d57b77c1ed74de8584cff7ee7a8003e40f1a2551802c609d5c1e999325d6c
                                          • Instruction ID: c4e4ded23b42c417c31fe0012e2d859e4bf8cfc1a1c3ee8f7267e560361bf6ec
                                          • Opcode Fuzzy Hash: ff4d57b77c1ed74de8584cff7ee7a8003e40f1a2551802c609d5c1e999325d6c
                                          • Instruction Fuzzy Hash: C94104B0E052099BDB48CFAAD5806EEFBF2AF88340F64D46AD505B7254E7349A41CB94
                                          Function 02C454D0 Relevance: .1, Instructions: 103COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2149101051.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_2c40000_TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 05-27-2024_xlsx.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: abc0bbd651ec187e330839d90cd0aeae8cc16b51c8948e8de4ab3791302baafb
                                          • Instruction ID: 88d2f2fd8cdaf4d07cab8eae4f16cac26c531530cf4bedf8e9ad9ee0b70909ed
                                          • Opcode Fuzzy Hash: abc0bbd651ec187e330839d90cd0aeae8cc16b51c8948e8de4ab3791302baafb
                                          • Instruction Fuzzy Hash: B64114B0E042098BDB48CFAAD5806EEFBF2BF88340F64D16AD505B7254D7309A41CFA4

                                          Executed Functions

                                          Function 01879BE2 Relevance: 2.7, Instructions: 2745COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ab6a234fbd3784bb47d05f324dced7a1fee2f63bb3de9d839f4dd1bad2637469
                                          • Instruction ID: ecc6d1a23a544c2568fb51a0ebb65b65e4261e2fc5ae596dc8c565baaad7a56d
                                          • Opcode Fuzzy Hash: ab6a234fbd3784bb47d05f324dced7a1fee2f63bb3de9d839f4dd1bad2637469
                                          • Instruction Fuzzy Hash: CC53E831C10B1A8ACB51EF68C880599F7B1FF99300F15D79AE458BB125FB70AAD5CB81
                                          Function 0187CDA8 Relevance: 2.3, Instructions: 2309COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 37116c9bb53dbcbddc479543c550bd7c33b8419138aaa6ffb8b7c235c87571fe
                                          • Instruction ID: 4c1522c010fcfea7c24146c6f54037ac5437f8b3453839ce43725defa8031d3b
                                          • Opcode Fuzzy Hash: 37116c9bb53dbcbddc479543c550bd7c33b8419138aaa6ffb8b7c235c87571fe
                                          • Instruction Fuzzy Hash: 5F330F31D10B1A8ADB11EF68C8845ADF7B1FF99300F15C79AE459A7211EB70EAC5CB81
                                          Function 01874A98 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7b652be1d98e004a73917e6239ea02ffe4ba46b63b8e2ac31a1eae16691a3c0
                                          • Instruction ID: ef50a37d3c9357c4b9bb6b0218b77e060798ef6300cc97540b67db1f1fa1b46d
                                          • Opcode Fuzzy Hash: f7b652be1d98e004a73917e6239ea02ffe4ba46b63b8e2ac31a1eae16691a3c0
                                          • Instruction Fuzzy Hash: E6B15C70E00219CFDB10CFA9C8917ADBFF2AF88754F248529D855EB294EB74D945CB81
                                          Function 01873E80 Relevance: .2, Instructions: 238COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3db9241e8665ea08349bd68ccd1836284ffeee7fbfa3ebd29f1c53b1b2a94b48
                                          • Instruction ID: caf539efe91f54a3b78fd9fe9399ae61a188f1e1cd27f3470f4ea164e8277ac2
                                          • Opcode Fuzzy Hash: 3db9241e8665ea08349bd68ccd1836284ffeee7fbfa3ebd29f1c53b1b2a94b48
                                          • Instruction Fuzzy Hash: EB917970E00609CFDF10DFA9D8817AEBBF2BF88344F148129E815E7254EB749A45CB92
                                          Function 0187790A Relevance: .6, Instructions: 554COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fcf7fb54c19769c37974a0d54c93bcde353b19b7780bf1c78565946eae24b70d
                                          • Instruction ID: d31755649176271d6712db7ff93f186a718fbe38c4a7a785594968ec67273963
                                          • Opcode Fuzzy Hash: fcf7fb54c19769c37974a0d54c93bcde353b19b7780bf1c78565946eae24b70d
                                          • Instruction Fuzzy Hash: 78124D30712202DBDB1AAB38E49462D37A2FBDA700B50492DD005DB365DF79DD87CBA1
                                          Function 01879364 Relevance: .4, Instructions: 380COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1276927247902262f8558c277d42fa8bbc1165bf3aa0c90b0f0b8eadccb87118
                                          • Instruction ID: 97ada19a24d3f139836a96b22d120fa699b10ccbbf7d6e1bffb437a7149cbb16
                                          • Opcode Fuzzy Hash: 1276927247902262f8558c277d42fa8bbc1165bf3aa0c90b0f0b8eadccb87118
                                          • Instruction Fuzzy Hash: ABD19D34F012058FDB15DF68D984AADBBB2FB89324F248529E506E73A1DB34DD42CB90
                                          Function 018796E0 Relevance: .4, Instructions: 355COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c2e9fa629cd6ff4c39ad4c04801ceb130e2da61f07f1e3230fb60823be62bee
                                          • Instruction ID: 741040a467a63c6bd491f2c11d4ceb72e19c09a0b9be13628cd4d71d8fc34784
                                          • Opcode Fuzzy Hash: 6c2e9fa629cd6ff4c39ad4c04801ceb130e2da61f07f1e3230fb60823be62bee
                                          • Instruction Fuzzy Hash: 78C1AF70E002058FDF15DF69D880BAEBBB2FB88324F248169E909DB395DB74D941CB91
                                          Function 01874A8C Relevance: .3, Instructions: 263COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e196074fb6b63a7e004497f714223a4e31e9c6ceccb0ab2410f7f7b0a14670a9
                                          • Instruction ID: 975662d8a2c666ced6ba2663c102dfdffd9495bb10c2518b77422098c02396fa
                                          • Opcode Fuzzy Hash: e196074fb6b63a7e004497f714223a4e31e9c6ceccb0ab2410f7f7b0a14670a9
                                          • Instruction Fuzzy Hash: 48B14C70E00219CFDB10CFA8D8957ADBFF2AF88754F248129E855E7254EB74DA45CB81
                                          Function 01873E74 Relevance: .2, Instructions: 235COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 90bc29bb961fbb89bcff3218e9ae13fa0a3b69da02b8dc59993326a21d308b99
                                          • Instruction ID: 607b550bb2ee7e7034aca2f15209fd1f02b9c56de9d311f0add81caa6841192e
                                          • Opcode Fuzzy Hash: 90bc29bb961fbb89bcff3218e9ae13fa0a3b69da02b8dc59993326a21d308b99
                                          • Instruction Fuzzy Hash: BFA16A70E00609DFDF11DFA8D88179DBBF2BF88344F148129E815E7254EB749A45CB92
                                          Function 01874804 Relevance: .2, Instructions: 181COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4d882fae129ac2699f34562251372f261fe344ecdee9d49b2a28d8b0d9c6b14b
                                          • Instruction ID: afecf72cc0cd248f67763874d6289b38c10848ca2bff69066cacbf140e1056ce
                                          • Opcode Fuzzy Hash: 4d882fae129ac2699f34562251372f261fe344ecdee9d49b2a28d8b0d9c6b14b
                                          • Instruction Fuzzy Hash: 927146B0E00249CFDB10DFA9C9807AEFBF2AF88714F148129E415EB264EB749945CF95
                                          Function 01874810 Relevance: .2, Instructions: 180COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf0160cee15e3fdc4e65a7d86794204a9bc80f9ddad1c7f74d6e3468aca88455
                                          • Instruction ID: a5fc03f0727a0dd49306539a84fbaa7e4c4adfe9ee1f7dea1fc3e1a10127791c
                                          • Opcode Fuzzy Hash: bf0160cee15e3fdc4e65a7d86794204a9bc80f9ddad1c7f74d6e3468aca88455
                                          • Instruction Fuzzy Hash: 48715870E00249CFDB10DFA9C8807AEFBF2AF88714F148129E415EB264EB749941CF95
                                          Function 01876ED7 Relevance: .1, Instructions: 148COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b4ff98189606fcdd1d54d6cb0a0c449124ef9d8533c82b683329232a749d9086
                                          • Instruction ID: 250de14e56db6c3db2f48525c4486bec5d6ee3d31edb7412b239f2c75ad14785
                                          • Opcode Fuzzy Hash: b4ff98189606fcdd1d54d6cb0a0c449124ef9d8533c82b683329232a749d9086
                                          • Instruction Fuzzy Hash: 6A519E31A01219DFDB15DF78C454BAEB7B2EF89300F20856AE405EB291EB71DA42CB91
                                          Function 0187111A Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b42a34069d740d06dc0aac9f747a218c24d8f50ce15bbc236997dcd7012c0946
                                          • Instruction ID: a10afb01421f7a569ea85a36694b74ea34320436f4bc934b6ef83bcc063b4fc9
                                          • Opcode Fuzzy Hash: b42a34069d740d06dc0aac9f747a218c24d8f50ce15bbc236997dcd7012c0946
                                          • Instruction Fuzzy Hash: 0F516134206146DFD709DF2AFA809583FB5FB8E30534959ADC1105B276DEB86E89CF42
                                          Function 01876CDD Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 123c1b4aa6862af2595c5567f666ac396dfc9be3c1737d4fddd773d379d7ba3d
                                          • Instruction ID: bb669a00629f063eb79f64de6388b0d716fe6380e35c990f6b97c410aa4c03ce
                                          • Opcode Fuzzy Hash: 123c1b4aa6862af2595c5567f666ac396dfc9be3c1737d4fddd773d379d7ba3d
                                          • Instruction Fuzzy Hash: BF512371D10618CFEB18CFA9C884B9DBBB1BF48310F24851AE819BB351E774A944CF55
                                          Function 01876CE8 Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d7c7efde719c34ecf707e051c598b44252379d4f85b356215df913691a65483
                                          • Instruction ID: 3d9ddeceabd16da2ee37c65fc3450c50bcfeecf404395f2230ac8df6d8646bb0
                                          • Opcode Fuzzy Hash: 1d7c7efde719c34ecf707e051c598b44252379d4f85b356215df913691a65483
                                          • Instruction Fuzzy Hash: B5512671D106198FEB14CFA9C884B9DFBB1BF48310F248519E819BB351E774A944CF95
                                          Function 0187F2CD Relevance: .1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7720369c1f80df76d489829c6b55a3fb920e12ab00e4f81529b348f4145cf00c
                                          • Instruction ID: 520b7df9c81394c034a4a1c4991e786f19ff04b4f864fd3dc0f073a97f3dd8c1
                                          • Opcode Fuzzy Hash: 7720369c1f80df76d489829c6b55a3fb920e12ab00e4f81529b348f4145cf00c
                                          • Instruction Fuzzy Hash: A141CC307002058FDB1AAB3AD59466E3BB2BF89744F64456CD106DB396DE35DD42CB90
                                          Function 01871138 Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fcd00bf79ce38cde9c0bb5d2dd8c36f1ad08f4a8a8447bc7fc8a0d41b199ac26
                                          • Instruction ID: d29111a12e9d4d27d3a55c028d28100bf441ee117de5392020a722ebcb51b0f2
                                          • Opcode Fuzzy Hash: fcd00bf79ce38cde9c0bb5d2dd8c36f1ad08f4a8a8447bc7fc8a0d41b199ac26
                                          • Instruction Fuzzy Hash: A1513E34206146EFD709DF2AFA809583FB5FB9E30134959ADD1105B276DEB82E89CF81
                                          Function 0187F190 Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7693c40bd0a105b58b1d7ec9be436c75de9d5c91830c27d45a132874bab7cc45
                                          • Instruction ID: e26b6564a81993236658419f411984b73cad13580918d51e1524d520ecb08573
                                          • Opcode Fuzzy Hash: 7693c40bd0a105b58b1d7ec9be436c75de9d5c91830c27d45a132874bab7cc45
                                          • Instruction Fuzzy Hash: DF31A135E102069BCB19CFA9D884A9EB7B2BF89300F10C519E916E7351DF70ED42CB50
                                          Function 01876F78 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 036842cff9688ad1c6bc9714aff24366a85b5523e1c427583f0cb46d63d3d88c
                                          • Instruction ID: f9d51bac38a2f23a885d24c21968245bdeb30998165a68055e4ce48d942c8160
                                          • Opcode Fuzzy Hash: 036842cff9688ad1c6bc9714aff24366a85b5523e1c427583f0cb46d63d3d88c
                                          • Instruction Fuzzy Hash: 05317035E10619DBEB15DF69D44479EB7B2FF89310F608529E806FB240EB71EA42CB50
                                          Function 018726DE Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c14debae69d765e3ae6d61f814919988b3adcdc0fe267f39dada34f69bc7658
                                          • Instruction ID: 28a315ec31dcfc6a4fd12324fba893bfdd74cb241950dc6fc9ca2536b674fe55
                                          • Opcode Fuzzy Hash: 6c14debae69d765e3ae6d61f814919988b3adcdc0fe267f39dada34f69bc7658
                                          • Instruction Fuzzy Hash: 5741DDB0900349DFDB10CFA9C984ADEBFB5EF48314F248429E819AB254DB75AA45CF90
                                          Function 0187F1A0 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e6c5cd80cfe5a55e2eb7f68f62e8b7891e91d9f7492b09feeb3a174c991e50d
                                          • Instruction ID: bdee5ee56fda846ce3ed64157a2d6dfb48e1d667ddb7c46a256a67f1e882ad12
                                          • Opcode Fuzzy Hash: 0e6c5cd80cfe5a55e2eb7f68f62e8b7891e91d9f7492b09feeb3a174c991e50d
                                          • Instruction Fuzzy Hash: 69317035E1060A9BDB19DFA9D494A9EB7B2BF89300F10C519E916E7350DF70ED42CB50
                                          Function 018726E8 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d92d9511405ae23fcf373a7e91d23fb4a6d7c84bba92d5fbc4a7471548d1995b
                                          • Instruction ID: 1e814635f4e9cd2904682dff5fa81e6512a4dc9b85f4507f1d2ed448224daa9d
                                          • Opcode Fuzzy Hash: d92d9511405ae23fcf373a7e91d23fb4a6d7c84bba92d5fbc4a7471548d1995b
                                          • Instruction Fuzzy Hash: 5241EEB0900349DFDB10CFA9C980A9EBFB5EF48310F108029E519AB254DB75AA45CB90
                                          Function 01875097 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be54d47f4844d6841eebf7082f8a7f2a86b864eb0d3009418ba8cb0d5768065b
                                          • Instruction ID: e7acabc29fa4c7722676ea90ba0cb49833167c2bb396087bd1997b4a5c6d6751
                                          • Opcode Fuzzy Hash: be54d47f4844d6841eebf7082f8a7f2a86b864eb0d3009418ba8cb0d5768065b
                                          • Instruction Fuzzy Hash: F5315934700215DFDB25DB79D5A4AAD77B2AF48345B1004ACD801EB390DF3ADE41CBA1
                                          Function 018750A8 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2eff406e101d16ebd0bc1ebd8ea1974f022fb4c182615ed79d67d277dabaa456
                                          • Instruction ID: be007ebf4acaf5865de8fbc80f1b1f71ce3c48026fee1ea38287c1f8ffdcd581
                                          • Opcode Fuzzy Hash: 2eff406e101d16ebd0bc1ebd8ea1974f022fb4c182615ed79d67d277dabaa456
                                          • Instruction Fuzzy Hash: 0B316934B012199FDB25DB79D5646AD7BF2AF89345B1004A8C805EB390DF3ACE41CBA1
                                          Function 01871488 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 545fb834aa6be625a2673f7cd4b7d690be9632596be4deea0db378cfed2d16fa
                                          • Instruction ID: 6f605a59e3ad5b3f2303cf8edb0910f1bbb9614e0ea86f2530dd9fe2e68ba6d7
                                          • Opcode Fuzzy Hash: 545fb834aa6be625a2673f7cd4b7d690be9632596be4deea0db378cfed2d16fa
                                          • Instruction Fuzzy Hash: 6331B431A00215CFDF22AFB8D4882AD7BB6EB15319F14007AE806DB782E735CA41CB91
                                          Function 01876B90 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b363deb52a7da1dfe12e52f924754a9f4d80d1091959d2d66aafabf7601db74b
                                          • Instruction ID: a53035d58855cd3c99a026d332be25902f284206b372f8ec5a3a9d67e0b775fb
                                          • Opcode Fuzzy Hash: b363deb52a7da1dfe12e52f924754a9f4d80d1091959d2d66aafabf7601db74b
                                          • Instruction Fuzzy Hash: 942104312092909FD703EB38D86069A3FB1EF8B240B15459FD045CB2A6EE349D48C7A2
                                          Function 01879250 Relevance: .1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d733d9320769f36d0730ddf61f75b7ef48f7128c1859be834af705c37a84c988
                                          • Instruction ID: 0e15ef9bf82383fbd90a3f9be8428be6ad3182560ccc844fc1a98cb63e32d067
                                          • Opcode Fuzzy Hash: d733d9320769f36d0730ddf61f75b7ef48f7128c1859be834af705c37a84c988
                                          • Instruction Fuzzy Hash: 1A31B131E1020A9BDB05DFA9D89069EBBB2FF89314F14C619E815EB350DB70D986CB50
                                          Function 01879260 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 232a96501904778ed23e4b1f73507ca5c39854e158356c4307a42c0427bc5637
                                          • Instruction ID: 20f29ff98ec7bd024287cadbbefb6c7ae5f3a52991464fd5ef29b6d8c4a44aa0
                                          • Opcode Fuzzy Hash: 232a96501904778ed23e4b1f73507ca5c39854e158356c4307a42c0427bc5637
                                          • Instruction Fuzzy Hash: B8217E31E1020A9BDB09DFA9D49069EBBB2FF89314F50C619E815EB251DB70DD86CB90
                                          Function 01879150 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7949937c4d7b3dd0995b3cb1049034a9940a973ecd6bec2ef82630008968d2ce
                                          • Instruction ID: 91dcf871a7c5c0e90bf713882cb17928fbf8d575e13226ee2f56582960db524a
                                          • Opcode Fuzzy Hash: 7949937c4d7b3dd0995b3cb1049034a9940a973ecd6bec2ef82630008968d2ce
                                          • Instruction Fuzzy Hash: FE21C735E00619CFCB19CFA8D8445DEB7B2AF89314F50861AE826F7341DB70EA51CB50
                                          Function 01874F8A Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 144015cdb3d4112b712593214b8c715e97120124655284b353fba2b12a3ee612
                                          • Instruction ID: 06ce733c6d8026bee06ada9a185e44cdf2844c1d54ffa1751fc727c73372da3b
                                          • Opcode Fuzzy Hash: 144015cdb3d4112b712593214b8c715e97120124655284b353fba2b12a3ee612
                                          • Instruction Fuzzy Hash: 0921D578700204CFDB55DF79D559AAD7BF1EB89304B1105A8E406EB360DB39DE01CB91
                                          Function 0187169F Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 91ba50265d3227f5eb6198586be9d17ec55b684ce66c374caa73425e5c7ee105
                                          • Instruction ID: 7a7a72140fb06a1b67d050e99f9bdf4c3c156f4742535a8b7a1857f485bc9604
                                          • Opcode Fuzzy Hash: 91ba50265d3227f5eb6198586be9d17ec55b684ce66c374caa73425e5c7ee105
                                          • Instruction Fuzzy Hash: CB21CF346002058FFF66E73CE8887193B66EB8D308F145A69D416CB6A6DF78DD808B91
                                          Function 01871878 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d438fdad8bac353a64031b79b10d0cad7de3910c9e0f659e7afac4cab7ba6eac
                                          • Instruction ID: 1cf74994947d63c93d8afdd054f98c4842307a801f982141d1270c466c0be04c
                                          • Opcode Fuzzy Hash: d438fdad8bac353a64031b79b10d0cad7de3910c9e0f659e7afac4cab7ba6eac
                                          • Instruction Fuzzy Hash: 67212A30700205DFDB25EB69C6597AE77B2AF49305F5004A9C506EB750DB35DE41CB91
                                          Function 014AD030 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2229681911.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_14ad000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ccdc84c47e19cafdd6e02d269a66d9e5886739075ea3c5d4afe1ee4cba6f400
                                          • Instruction ID: e75d448162b51903548d3407238bbaaedae3a9f26e796eeabccc2b8f0d71bc89
                                          • Opcode Fuzzy Hash: 5ccdc84c47e19cafdd6e02d269a66d9e5886739075ea3c5d4afe1ee4cba6f400
                                          • Instruction Fuzzy Hash: DE2167B1948200DFDB14DF54D9C0B26BB61FB94318F60C56ED90A0B762C376D447CA61
                                          Function 014AD006 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2229681911.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_14ad000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a8055c7a27f5361a624c3805a635a51db1e0caf032d3d9a966f7405360b73014
                                          • Instruction ID: 79d5a595df7d843270837a73f430051b4c1a7c4df9cd7d98f72b20091c054859
                                          • Opcode Fuzzy Hash: a8055c7a27f5361a624c3805a635a51db1e0caf032d3d9a966f7405360b73014
                                          • Instruction Fuzzy Hash: 9D218B7544D3C09FCB03CF64D990711BF71AB46214F29C5DBD8898F6A3C23A980ACB62
                                          Function 01879160 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6966333916c39aba69dd9ccf34050f801ca4e5c4560eae93f426b3158ee35bf1
                                          • Instruction ID: ea879094810921b58afe334fbd659a2422ba536cc8b839ca411293e0be99f8ca
                                          • Opcode Fuzzy Hash: 6966333916c39aba69dd9ccf34050f801ca4e5c4560eae93f426b3158ee35bf1
                                          • Instruction Fuzzy Hash: BA219230E0061A9BCB19DFA9D84459EF7B6AF89314F10C52AE825FB340DB70DA41CB50
                                          Function 01871382 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 04a4e38a58f1e1b888006d79efa9d1093e2492bb75633b7690b453531608f0fa
                                          • Instruction ID: 71da51c1d1d02259110555a858e4a8ec67e5990100db96b82cc369bbd53cdca8
                                          • Opcode Fuzzy Hash: 04a4e38a58f1e1b888006d79efa9d1093e2492bb75633b7690b453531608f0fa
                                          • Instruction Fuzzy Hash: 39217F70600201CFEB36A72CD8CD36D3B66E74A315F1408A9E806D7B95DB69DEC4C752
                                          Function 01871888 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d64805047a43ed78b62de7227e1b469f8ce6e4a4ebe06f767e0dbd0cc62d9192
                                          • Instruction ID: 187d93dd7804ded170e7af6ed867daadd6f51442a9c35789f13ed6ce1eb9d92f
                                          • Opcode Fuzzy Hash: d64805047a43ed78b62de7227e1b469f8ce6e4a4ebe06f767e0dbd0cc62d9192
                                          • Instruction Fuzzy Hash: 47212734B00209DFDB15EB69C5597AE7BB2AB4A340F500469C506EB750DF35DE41CBA2
                                          Function 018716B0 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b5206270055452dd580d498e5ac0c4144f4c040517efe8470f7912f892770f81
                                          • Instruction ID: 52d78a2fd0e67e7df7e9e69db9cd78809b3b1fd23bba5710de76d2a251c316e6
                                          • Opcode Fuzzy Hash: b5206270055452dd580d498e5ac0c4144f4c040517efe8470f7912f892770f81
                                          • Instruction Fuzzy Hash: 1421D2346001058BFF65E72DE8887197B66E78D354F105A28D416C7656DF78DD808BD1
                                          Function 01874F98 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e72173b48fac987886f16bcb0a1bcf75ccf0f6bb4311af5b1ba89e0879a1caa
                                          • Instruction ID: af391f882e322b0f3bb0aafbf809fbda1e2f8944e9e49f28b42ff5436c64b498
                                          • Opcode Fuzzy Hash: 1e72173b48fac987886f16bcb0a1bcf75ccf0f6bb4311af5b1ba89e0879a1caa
                                          • Instruction Fuzzy Hash: 4D21E378700208CFDB55DB79D558AAD7BF1EB89704B1004A8E506EB3A4DB36DE01CB91
                                          Function 01870838 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1b44495755a0482e1c826c564f2bc02e69b05fc5b116358dc953ad82909addbc
                                          • Instruction ID: a2899fcb7791bfcda9ac8a988868e66d8303ea632f45eb3ed53527b5a470fe35
                                          • Opcode Fuzzy Hash: 1b44495755a0482e1c826c564f2bc02e69b05fc5b116358dc953ad82909addbc
                                          • Instruction Fuzzy Hash: 7911C430A003098BEF265BB9C80437D3A51EB4B314F24483AE002CF242DA35CE818BD1
                                          Function 01870848 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f4c7e841936011784646c618d72b7d97f48a365d4ee3b8f4d8c764f5aa412624
                                          • Instruction ID: 7d5fe002bd92dcb7d008f0aa6e7e32e4d2daf8df36375d5d7f76529e43bab6ee
                                          • Opcode Fuzzy Hash: f4c7e841936011784646c618d72b7d97f48a365d4ee3b8f4d8c764f5aa412624
                                          • Instruction Fuzzy Hash: 4A116D30B002098BEF65ABBEC84476A3651FB8B714F204829E116CF356DA75DE818BD1
                                          Function 018717C2 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bb6eff24413af97fc9cccb2d9d3e45ee0a6e368d24959a7e4ed2f097007e8cc2
                                          • Instruction ID: 44e8df586177357556e1a48e3db94b46b042c752efd13db39dcf0bb880452c32
                                          • Opcode Fuzzy Hash: bb6eff24413af97fc9cccb2d9d3e45ee0a6e368d24959a7e4ed2f097007e8cc2
                                          • Instruction Fuzzy Hash: C011C275B003519FCB11EBB9984866EBBE5EB8C350F100869E906E3304EB34DA418B91
                                          Function 01871498 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 87e564449f293fc67f7b89c42f39334e3ae8dbf5afdd95b3cf60cddf9aa49fc9
                                          • Instruction ID: a28a6f91fd716292a3c9abd520d6be5a52297c7edfd0ca7708cf172892ab9b83
                                          • Opcode Fuzzy Hash: 87e564449f293fc67f7b89c42f39334e3ae8dbf5afdd95b3cf60cddf9aa49fc9
                                          • Instruction Fuzzy Hash: A2014031A002159FCB25EFBC84941AEBBF6EB49314F14047AE805EB341E635DA418B91
                                          Function 018780F1 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 741e48f493eecd7cd5b45961d14f0af64eb4ea9f14b12b3d401fd57985a6f5cd
                                          • Instruction ID: 585c0512a4a2b7e2675d84bc52a3c31c4a02dd39275711723317ab516d369295
                                          • Opcode Fuzzy Hash: 741e48f493eecd7cd5b45961d14f0af64eb4ea9f14b12b3d401fd57985a6f5cd
                                          • Instruction Fuzzy Hash: 28018F7090114AEFEB49EFB8F98058C7FB1EF88300F5051ADC404AB161DE742E448B51
                                          Function 01877090 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f81fe4caabc5aed89a3c72cd75ee1ce1dab03af4c03ef4c52e54b05c7ae0c658
                                          • Instruction ID: a94c68c6f095afeec28081895be3c1b9ec9b35a9e5ac884f186098386040c4b3
                                          • Opcode Fuzzy Hash: f81fe4caabc5aed89a3c72cd75ee1ce1dab03af4c03ef4c52e54b05c7ae0c658
                                          • Instruction Fuzzy Hash: EFF0C439B00208CFC718EB78D598A6D77B2EF8D315F5040A8E9069B3A4CB35AD82CF50
                                          Function 01878100 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2230271102.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1870000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a6f22ba1b5d00d5d8e1d3a110f0a2a0da57bd3d60f313e63d4df80ba29d39201
                                          • Instruction ID: a3090c2e87e417e22a1b6720cda6a8eb7094d4de588425789b1e7c746dd94670
                                          • Opcode Fuzzy Hash: a6f22ba1b5d00d5d8e1d3a110f0a2a0da57bd3d60f313e63d4df80ba29d39201
                                          • Instruction Fuzzy Hash: D4F0A47090114EEFEF48EFB9F84058D7BB1EB88300F50426CC504A7260EE742E448BA1

                                          Execution Graph

                                          Execution Coverage:13.2%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:217
                                          Total number of Limit Nodes:18
                                          execution_graph 24776 17cd01c 24777 17cd034 24776->24777 24778 17cd08e 24777->24778 24784 5a4a9a5 24777->24784 24788 5a4b7c9 24777->24788 24797 5a4a9a8 24777->24797 24801 5a49b0c 24777->24801 24810 5a4a9c5 24777->24810 24785 5a4a9a8 24784->24785 24786 5a49b0c CallWindowProcW 24785->24786 24787 5a4a9ef 24786->24787 24787->24778 24789 5a4b805 24788->24789 24790 5a4b839 24789->24790 24792 5a4b829 24789->24792 24793 5a4b837 24790->24793 24830 5a49c34 24790->24830 24814 5a4b960 24792->24814 24819 5a4ba2c 24792->24819 24825 5a4b950 24792->24825 24798 5a4a9c5 24797->24798 24799 5a49b0c CallWindowProcW 24798->24799 24800 5a4a9ef 24799->24800 24800->24778 24802 5a49b17 24801->24802 24803 5a4b839 24802->24803 24805 5a4b829 24802->24805 24804 5a49c34 CallWindowProcW 24803->24804 24806 5a4b837 24803->24806 24804->24806 24807 5a4b960 CallWindowProcW 24805->24807 24808 5a4b950 CallWindowProcW 24805->24808 24809 5a4ba2c CallWindowProcW 24805->24809 24807->24806 24808->24806 24809->24806 24811 5a4a9ce 24810->24811 24812 5a49b0c CallWindowProcW 24811->24812 24813 5a4a9ef 24812->24813 24813->24778 24816 5a4b974 24814->24816 24815 5a4ba00 24815->24793 24834 5a4ba08 24816->24834 24837 5a4ba18 24816->24837 24820 5a4b9ea 24819->24820 24821 5a4ba3a 24819->24821 24823 5a4ba08 CallWindowProcW 24820->24823 24824 5a4ba18 CallWindowProcW 24820->24824 24822 5a4ba00 24822->24793 24823->24822 24824->24822 24827 5a4b974 24825->24827 24826 5a4ba00 24826->24793 24828 5a4ba08 CallWindowProcW 24827->24828 24829 5a4ba18 CallWindowProcW 24827->24829 24828->24826 24829->24826 24831 5a49c3f 24830->24831 24832 5a4cf1a CallWindowProcW 24831->24832 24833 5a4cec9 24831->24833 24832->24833 24833->24793 24835 5a4ba29 24834->24835 24840 5a4ce5e 24834->24840 24835->24815 24838 5a4ba29 24837->24838 24839 5a4ce5e CallWindowProcW 24837->24839 24838->24815 24839->24838 24841 5a49c34 CallWindowProcW 24840->24841 24842 5a4ce6a 24841->24842 24842->24835 24624 5a46020 DuplicateHandle 24625 5a460fd 24624->24625 24843 5a43910 24844 5a4391f 24843->24844 24847 5a43a08 24843->24847 24855 5a439fa 24843->24855 24848 5a43a19 24847->24848 24850 5a43a3c 24847->24850 24848->24850 24863 5a43ce8 24848->24863 24867 5a43cd8 24848->24867 24849 5a43a34 24849->24850 24851 5a43c5d GetModuleHandleW 24849->24851 24850->24844 24852 5a43c9c 24851->24852 24852->24844 24856 5a43a19 24855->24856 24857 5a43a3c 24855->24857 24856->24857 24861 5a43ce8 LoadLibraryExW 24856->24861 24862 5a43cd8 LoadLibraryExW 24856->24862 24857->24844 24858 5a43c5d GetModuleHandleW 24860 5a43c9c 24858->24860 24859 5a43a34 24859->24857 24859->24858 24860->24844 24861->24859 24862->24859 24865 5a43cfc 24863->24865 24864 5a43d21 24864->24849 24865->24864 24871 5a43408 24865->24871 24868 5a43cfc 24867->24868 24869 5a43d21 24868->24869 24870 5a43408 LoadLibraryExW 24868->24870 24869->24849 24870->24869 24872 5a43f08 LoadLibraryExW 24871->24872 24874 5a43fc4 24872->24874 24874->24864 24875 5a4a710 24876 5a4a7a8 CreateWindowExW 24875->24876 24878 5a4a8e6 24876->24878 24626 1858200 24627 185824d VirtualProtect 24626->24627 24628 18582b9 24627->24628 24629 9c068d5 24630 9c0669c 24629->24630 24631 9c068a9 24630->24631 24634 9c07f98 24630->24634 24648 9c07fa8 24630->24648 24635 9c07fc2 24634->24635 24647 9c07fe6 24635->24647 24662 9c08509 24635->24662 24670 9c08bd5 24635->24670 24675 9c08714 24635->24675 24679 9c083d2 24635->24679 24684 9c08a32 24635->24684 24688 9c0865d 24635->24688 24692 9c087ec 24635->24692 24697 9c0883b 24635->24697 24702 9c087fb 24635->24702 24707 9c0879b 24635->24707 24711 9c08879 24635->24711 24647->24631 24649 9c07fc2 24648->24649 24650 9c07fe6 24649->24650 24651 9c08a32 2 API calls 24649->24651 24652 9c083d2 2 API calls 24649->24652 24653 9c08714 2 API calls 24649->24653 24654 9c08bd5 2 API calls 24649->24654 24655 9c08509 4 API calls 24649->24655 24656 9c08879 4 API calls 24649->24656 24657 9c0879b 2 API calls 24649->24657 24658 9c087fb 2 API calls 24649->24658 24659 9c0883b 2 API calls 24649->24659 24660 9c087ec 2 API calls 24649->24660 24661 9c0865d 2 API calls 24649->24661 24650->24631 24651->24650 24652->24650 24653->24650 24654->24650 24655->24650 24656->24650 24657->24650 24658->24650 24659->24650 24660->24650 24661->24650 24663 9c08516 24662->24663 24664 9c0866a 24662->24664 24718 9c05ba1 24663->24718 24722 9c05ba8 24663->24722 24665 9c08d17 24664->24665 24726 9c05680 24664->24726 24730 9c05678 24664->24730 24671 9c08659 24670->24671 24671->24647 24672 9c08d2a 24671->24672 24734 9c05df0 24671->24734 24738 9c05de8 24671->24738 24677 9c05df0 WriteProcessMemory 24675->24677 24678 9c05de8 WriteProcessMemory 24675->24678 24676 9c08742 24676->24647 24677->24676 24678->24676 24680 9c083d8 24679->24680 24742 9c06178 24680->24742 24746 9c0616c 24680->24746 24685 9c088c1 24684->24685 24685->24684 24686 9c05680 ResumeThread 24685->24686 24687 9c05678 ResumeThread 24685->24687 24686->24685 24687->24685 24689 9c0866a 24688->24689 24690 9c05680 ResumeThread 24689->24690 24691 9c05678 ResumeThread 24689->24691 24690->24689 24691->24689 24693 9c08b2f 24692->24693 24750 9c08fd7 24693->24750 24755 9c08fe8 24693->24755 24694 9c08b03 24699 9c08659 24697->24699 24698 9c08d2a 24699->24647 24699->24698 24700 9c05df0 WriteProcessMemory 24699->24700 24701 9c05de8 WriteProcessMemory 24699->24701 24700->24699 24701->24699 24704 9c08596 24702->24704 24703 9c08e32 24704->24703 24705 9c05df0 WriteProcessMemory 24704->24705 24706 9c05de8 WriteProcessMemory 24704->24706 24705->24704 24706->24704 24708 9c087a8 24707->24708 24760 9c05f41 24708->24760 24764 9c05f48 24708->24764 24768 9c05cd0 24711->24768 24772 9c05cc9 24711->24772 24712 9c08d2a 24713 9c08659 24713->24647 24713->24712 24716 9c05df0 WriteProcessMemory 24713->24716 24717 9c05de8 WriteProcessMemory 24713->24717 24716->24713 24717->24713 24719 9c05bf1 Wow64SetThreadContext 24718->24719 24721 9c05c69 24719->24721 24721->24664 24723 9c05bf1 Wow64SetThreadContext 24722->24723 24725 9c05c69 24723->24725 24725->24664 24727 9c056c4 ResumeThread 24726->24727 24729 9c05710 24727->24729 24729->24664 24731 9c056c4 ResumeThread 24730->24731 24733 9c05710 24731->24733 24733->24664 24735 9c05e3c WriteProcessMemory 24734->24735 24737 9c05ed5 24735->24737 24737->24671 24739 9c05e3c WriteProcessMemory 24738->24739 24741 9c05ed5 24739->24741 24741->24671 24743 9c061ff CreateProcessA 24742->24743 24745 9c06454 24743->24745 24747 9c061ff CreateProcessA 24746->24747 24749 9c06454 24747->24749 24751 9c08ffd 24750->24751 24753 9c05ba1 Wow64SetThreadContext 24751->24753 24754 9c05ba8 Wow64SetThreadContext 24751->24754 24752 9c09013 24752->24694 24753->24752 24754->24752 24756 9c08ffd 24755->24756 24758 9c05ba1 Wow64SetThreadContext 24756->24758 24759 9c05ba8 Wow64SetThreadContext 24756->24759 24757 9c09013 24757->24694 24758->24757 24759->24757 24761 9c05f94 ReadProcessMemory 24760->24761 24763 9c0600c 24761->24763 24763->24708 24765 9c05f94 ReadProcessMemory 24764->24765 24767 9c0600c 24765->24767 24767->24708 24769 9c05d14 VirtualAllocEx 24768->24769 24771 9c05d8c 24769->24771 24771->24713 24773 9c05d14 VirtualAllocEx 24772->24773 24775 9c05d8c 24773->24775 24775->24713 24879 185c9b0 24881 185c9d7 24879->24881 24880 185cab4 24881->24880 24883 185c5cc 24881->24883 24884 185da68 CreateActCtxA 24883->24884 24886 185db6e 24884->24886 24887 9c09538 24888 9c096c3 24887->24888 24890 9c0955e 24887->24890 24890->24888 24891 9c09128 24890->24891 24892 9c09810 PostMessageW 24891->24892 24893 9c098bd 24892->24893 24893->24890 24894 5a45dd8 24895 5a45e1e GetCurrentProcess 24894->24895 24897 5a45e70 GetCurrentThread 24895->24897 24898 5a45e69 24895->24898 24899 5a45ea6 24897->24899 24900 5a45ead GetCurrentProcess 24897->24900 24898->24897 24899->24900 24901 5a45ee3 24900->24901 24902 5a45f0b GetCurrentThreadId 24901->24902 24903 5a45f3c 24902->24903

                                          Executed Functions

                                          Function 05A45DC9 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 05A45E56
                                          • GetCurrentThread.KERNEL32 ref: 05A45E93
                                          • GetCurrentProcess.KERNEL32 ref: 05A45ED0
                                          • GetCurrentThreadId.KERNEL32 ref: 05A45F29
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2256076204.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5a40000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: f37aad224b91ae87f4d95a2a07a7360e1a8db8a8d7c2713f2bc2a8a3a90c832e
                                          • Instruction ID: 4a4c7acfb84d46ffde70021b35f924e888ebc5b0dc50c00ed54b5eb04da0d79e
                                          • Opcode Fuzzy Hash: f37aad224b91ae87f4d95a2a07a7360e1a8db8a8d7c2713f2bc2a8a3a90c832e
                                          • Instruction Fuzzy Hash: D95167B090130ACFDB14DFAAE588B9EBBF5FF88314F208459E419A7250DB746944CF65
                                          Function 05A45DD8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 05A45E56
                                          • GetCurrentThread.KERNEL32 ref: 05A45E93
                                          • GetCurrentProcess.KERNEL32 ref: 05A45ED0
                                          • GetCurrentThreadId.KERNEL32 ref: 05A45F29
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2256076204.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5a40000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 9f0fcc2a6b5738c5863be28689d4ac6d76c19103a9449eb954437881b70483f2
                                          • Instruction ID: f933b429c62f0ffe7103002480db56199ac7c64d28f20aa2ef0136bde2304ab0
                                          • Opcode Fuzzy Hash: 9f0fcc2a6b5738c5863be28689d4ac6d76c19103a9449eb954437881b70483f2
                                          • Instruction Fuzzy Hash: 845155B090130ACFDB54DFAAE588B9EBBF5FF88314F208459E019A7250DB746944CF65
                                          Function 09C0616C Relevance: 1.8, APIs: 1, Instructions: 324processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 116 9c0616c-9c06211 118 9c06213-9c0622a 116->118 119 9c0625a-9c06282 116->119 118->119 122 9c0622c-9c06231 118->122 123 9c06284-9c06298 119->123 124 9c062c8-9c0631e 119->124 125 9c06233-9c0623d 122->125 126 9c06254-9c06257 122->126 123->124 131 9c0629a-9c0629f 123->131 133 9c06320-9c06334 124->133 134 9c06364-9c06452 CreateProcessA 124->134 128 9c06241-9c06250 125->128 129 9c0623f 125->129 126->119 128->128 132 9c06252 128->132 129->128 135 9c062a1-9c062ab 131->135 136 9c062c2-9c062c5 131->136 132->126 133->134 142 9c06336-9c0633b 133->142 152 9c06454-9c0645a 134->152 153 9c0645b-9c06540 134->153 137 9c062ad 135->137 138 9c062af-9c062be 135->138 136->124 137->138 138->138 141 9c062c0 138->141 141->136 144 9c0633d-9c06347 142->144 145 9c0635e-9c06361 142->145 146 9c06349 144->146 147 9c0634b-9c0635a 144->147 145->134 146->147 147->147 148 9c0635c 147->148 148->145 152->153 165 9c06550-9c06554 153->165 166 9c06542-9c06546 153->166 168 9c06564-9c06568 165->168 169 9c06556-9c0655a 165->169 166->165 167 9c06548 166->167 167->165 171 9c06578-9c0657c 168->171 172 9c0656a-9c0656e 168->172 169->168 170 9c0655c 169->170 170->168 173 9c065b2-9c065bd 171->173 174 9c0657e-9c065a7 171->174 172->171 175 9c06570 172->175 179 9c065be 173->179 174->173 175->171 179->179
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09C0643F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 66ba7178c81d93ecad7ea0ada5773f42ec035855bdb119a4fe3e588e559001f6
                                          • Instruction ID: a327b38cfc259c265b9af6b3b82f6f9f608256c09f6f197920c7fa4f046ab9e4
                                          • Opcode Fuzzy Hash: 66ba7178c81d93ecad7ea0ada5773f42ec035855bdb119a4fe3e588e559001f6
                                          • Instruction Fuzzy Hash: 10C10871D0021D8FDF20CFA8D9557EDBBB1BB89310F1096A9E409B7280DB749A95CF94
                                          Function 09C06178 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 180 9c06178-9c06211 182 9c06213-9c0622a 180->182 183 9c0625a-9c06282 180->183 182->183 186 9c0622c-9c06231 182->186 187 9c06284-9c06298 183->187 188 9c062c8-9c0631e 183->188 189 9c06233-9c0623d 186->189 190 9c06254-9c06257 186->190 187->188 195 9c0629a-9c0629f 187->195 197 9c06320-9c06334 188->197 198 9c06364-9c06452 CreateProcessA 188->198 192 9c06241-9c06250 189->192 193 9c0623f 189->193 190->183 192->192 196 9c06252 192->196 193->192 199 9c062a1-9c062ab 195->199 200 9c062c2-9c062c5 195->200 196->190 197->198 206 9c06336-9c0633b 197->206 216 9c06454-9c0645a 198->216 217 9c0645b-9c06540 198->217 201 9c062ad 199->201 202 9c062af-9c062be 199->202 200->188 201->202 202->202 205 9c062c0 202->205 205->200 208 9c0633d-9c06347 206->208 209 9c0635e-9c06361 206->209 210 9c06349 208->210 211 9c0634b-9c0635a 208->211 209->198 210->211 211->211 212 9c0635c 211->212 212->209 216->217 229 9c06550-9c06554 217->229 230 9c06542-9c06546 217->230 232 9c06564-9c06568 229->232 233 9c06556-9c0655a 229->233 230->229 231 9c06548 230->231 231->229 235 9c06578-9c0657c 232->235 236 9c0656a-9c0656e 232->236 233->232 234 9c0655c 233->234 234->232 237 9c065b2-9c065bd 235->237 238 9c0657e-9c065a7 235->238 236->235 239 9c06570 236->239 243 9c065be 237->243 238->237 239->235 243->243
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09C0643F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 36d219c17e13978f048ac53177dd86af6997cb73d975f12fb34dd623e9589744
                                          • Instruction ID: 148dfe1ee9f2a1ed598da49d428770ade675606f014bb454320dcbbf624f8459
                                          • Opcode Fuzzy Hash: 36d219c17e13978f048ac53177dd86af6997cb73d975f12fb34dd623e9589744
                                          • Instruction Fuzzy Hash: F2C10771D0021D8FDF20CFA8D955BEDBBB1BB89300F0096A9E409B7280DB749A95CF95
                                          Function 05A43A08 Relevance: 1.7, APIs: 1, Instructions: 229COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 244 5a43a08-5a43a17 245 5a43a43-5a43a47 244->245 246 5a43a19-5a43a26 call 5a40f54 244->246 248 5a43a49-5a43a53 245->248 249 5a43a5b-5a43a9c 245->249 251 5a43a3c 246->251 252 5a43a28 246->252 248->249 255 5a43a9e-5a43aa6 249->255 256 5a43aa9-5a43ab7 249->256 251->245 303 5a43a2e call 5a43ce8 252->303 304 5a43a2e call 5a43cd8 252->304 255->256 257 5a43ab9-5a43abe 256->257 258 5a43adb-5a43add 256->258 260 5a43ac0-5a43ac7 call 5a433ac 257->260 261 5a43ac9 257->261 262 5a43ae0-5a43ae7 258->262 259 5a43a34-5a43a36 259->251 263 5a43b78-5a43b91 259->263 264 5a43acb-5a43ad9 260->264 261->264 266 5a43af4-5a43afb 262->266 267 5a43ae9-5a43af1 262->267 275 5a43b95-5a43bf0 263->275 264->262 270 5a43afd-5a43b05 266->270 271 5a43b08-5a43b11 call 5a433bc 266->271 267->266 270->271 276 5a43b13-5a43b1b 271->276 277 5a43b1e-5a43b23 271->277 295 5a43bf2-5a43c49 275->295 276->277 278 5a43b25-5a43b2c 277->278 279 5a43b41-5a43b4e 277->279 278->279 280 5a43b2e-5a43b3e call 5a433cc call 5a433dc 278->280 285 5a43b50-5a43b6e 279->285 286 5a43b71-5a43b77 279->286 280->279 285->286 297 5a43c5d-5a43c9a GetModuleHandleW 295->297 298 5a43c4b-5a43c5a 295->298 299 5a43ca3-5a43cd1 297->299 300 5a43c9c-5a43ca2 297->300 298->297 300->299 303->259 304->259
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(?), ref: 05A43C8A
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2256076204.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5a40000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 3d01baaef07ad0c1f2173dfb993ee759637d4241b8f4f155bbd0d6d80e8b2bbb
                                          • Instruction ID: a0ec5ec4d6b50e889a7a561c119a830114d65d13cba1f5b513d2efcabd8b34c6
                                          • Opcode Fuzzy Hash: 3d01baaef07ad0c1f2173dfb993ee759637d4241b8f4f155bbd0d6d80e8b2bbb
                                          • Instruction Fuzzy Hash: A1911470A007099FDB24DFA9D484B9ABBF1FF88300F14892AD45AE7650D775E885CF90
                                          Function 05A4A70A Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 305 5a4a70a-5a4a7a6 307 5a4a7bd-5a4a7c8 305->307 308 5a4a7a8-5a4a7ba 305->308 309 5a4a7dc-5a4a83c 307->309 310 5a4a7ca-5a4a7d9 307->310 308->307 312 5a4a844-5a4a8e4 CreateWindowExW 309->312 310->309 313 5a4a8e6-5a4a8ec 312->313 314 5a4a8ed-5a4a919 312->314 313->314
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05A4A8D1
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2256076204.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5a40000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: ae074ff046a886bc81ba44909ed953d99f0d9d676e1780723f87c2993dc5c974
                                          • Instruction ID: 3ca99e8a5051887cb950083b8bf203076451312c7ebe650aab279cd41d57d441
                                          • Opcode Fuzzy Hash: ae074ff046a886bc81ba44909ed953d99f0d9d676e1780723f87c2993dc5c974
                                          • Instruction Fuzzy Hash: F36169B4D00218DFDF20CFA9D984ADEBBF1BF49300F1491AAE818A7211D731AA85CF44
                                          Function 05A4A710 Relevance: 1.7, APIs: 1, Instructions: 165COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 317 5a4a710-5a4a7a6 318 5a4a7bd-5a4a7c8 317->318 319 5a4a7a8-5a4a7ba 317->319 320 5a4a7dc-5a4a8e4 CreateWindowExW 318->320 321 5a4a7ca-5a4a7d9 318->321 319->318 324 5a4a8e6-5a4a8ec 320->324 325 5a4a8ed-5a4a919 320->325 321->320 324->325
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05A4A8D1
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2256076204.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5a40000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 6fa9cbb7ab74653486733445e4cec662e9ce5ce1c41edd060f9e67fbc2643b2d
                                          • Instruction ID: fcde726f94cf6beef94a28b909bc755e511e9487120e41d519d1eab1d28072c6
                                          • Opcode Fuzzy Hash: 6fa9cbb7ab74653486733445e4cec662e9ce5ce1c41edd060f9e67fbc2643b2d
                                          • Instruction Fuzzy Hash: 826168B4D04218DFDF60CFA9D984ADEBBF1BB49300F1491AAE918A7211D771AA85CF44
                                          Function 0185C5CC Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 328 185c5cc-185db6c CreateActCtxA 333 185db75-185dbfa 328->333 334 185db6e-185db74 328->334 343 185dc27-185dc2f 333->343 344 185dbfc-185dc1f 333->344 334->333 344->343
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 0185DB59
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2246505169.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_1850000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 8072c3a77928c22339057fb81c4b47fcbcee223f42d12c368dc3936b37871d1b
                                          • Instruction ID: 37b7bbdc40cf0986a004a9c4f12fd4169715a29a8cc0c278bc589b776693290f
                                          • Opcode Fuzzy Hash: 8072c3a77928c22339057fb81c4b47fcbcee223f42d12c368dc3936b37871d1b
                                          • Instruction Fuzzy Hash: F351E071D0021CCFDB21DFA9C980BDEBBF5AF49300F1085AAD509AB251DB716A89CF91
                                          Function 09C05DE8 Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 348 9c05de8-9c05e5b 350 9c05e72-9c05ed3 WriteProcessMemory 348->350 351 9c05e5d-9c05e6f 348->351 353 9c05ed5-9c05edb 350->353 354 9c05edc-9c05f2e 350->354 351->350 353->354
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09C05EC3
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 4d42ca0e702a4cd69f7581f7cd8ada6df9e5f73b3310acc5575e548a9d8f0910
                                          • Instruction ID: 0bea89b785e812f91b47de8548533d487f6ef30d950dbd5675783cee40c2c2be
                                          • Opcode Fuzzy Hash: 4d42ca0e702a4cd69f7581f7cd8ada6df9e5f73b3310acc5575e548a9d8f0910
                                          • Instruction Fuzzy Hash: D541BCB5D012589FCF00CFA9D984ADEFBF1BB49310F24902AE418B7250D778AA45CF54
                                          Function 09C05DF0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 359 9c05df0-9c05e5b 361 9c05e72-9c05ed3 WriteProcessMemory 359->361 362 9c05e5d-9c05e6f 359->362 364 9c05ed5-9c05edb 361->364 365 9c05edc-9c05f2e 361->365 362->361 364->365
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09C05EC3
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 466acf050851007ec37c73139445896c033d305e34c9c783a14b933f6e79ff38
                                          • Instruction ID: bfe51c71794d822657795e676f47dfcb0cc1ae62872059a863d2123f4e976a6f
                                          • Opcode Fuzzy Hash: 466acf050851007ec37c73139445896c033d305e34c9c783a14b933f6e79ff38
                                          • Instruction Fuzzy Hash: 4C41BAB5D012589FCF00CFAAD980ADEFBF1BB49310F20902AE418B7240D779AA41CF64
                                          Function 05A46019 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 370 5a46019-5a4601e 371 5a46020-5a460fb DuplicateHandle 370->371 372 5a46104-5a46144 371->372 373 5a460fd-5a46103 371->373 373->372
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05A460EB
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2256076204.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5a40000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 2565cf15552066d9097090798dd62f9700adfd71698fb28e349d2a9508e88f4a
                                          • Instruction ID: 3bb6b76332b9e25605471a5609ceaafd5ace72446c68fbd755629240bae692a2
                                          • Opcode Fuzzy Hash: 2565cf15552066d9097090798dd62f9700adfd71698fb28e349d2a9508e88f4a
                                          • Instruction Fuzzy Hash: BF4176B9D002589FCF10CFA9D984ADEBBF5BF49310F14906AE918BB210D335A955CF94
                                          Function 05A46020 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 377 5a46020-5a460fb DuplicateHandle 378 5a46104-5a46144 377->378 379 5a460fd-5a46103 377->379 379->378
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05A460EB
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2256076204.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5a40000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 2269f1afb64dfebb09ad711d346362dae021f9aa3a81f4ac194c97e261e5b418
                                          • Instruction ID: 4c2408741185b766a12db07a9691e96c2927c95a9f12819451ba3353a922bd1d
                                          • Opcode Fuzzy Hash: 2269f1afb64dfebb09ad711d346362dae021f9aa3a81f4ac194c97e261e5b418
                                          • Instruction Fuzzy Hash: AB4164B9D002589FCF00CFA9D984ADEBBF5BB49310F24906AE918AB310D375A955CF94
                                          Function 09C05F41 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 383 9c05f41-9c0600a ReadProcessMemory 386 9c06013-9c06065 383->386 387 9c0600c-9c06012 383->387 387->386
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09C05FFA
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 48145df00acba4cf0e26d1fd42760b21edaebbf541f094e18dc390c6afec36aa
                                          • Instruction ID: 7b171e1acbabfdcfe8e4767076323a73bbb37ff2de863816aef85a589c42bc84
                                          • Opcode Fuzzy Hash: 48145df00acba4cf0e26d1fd42760b21edaebbf541f094e18dc390c6afec36aa
                                          • Instruction Fuzzy Hash: 1E41B9B5D002589FCF10CFA9D980AEEFBB1BB49310F10902AE815B7240C735A955CF58
                                          Function 09C05F48 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 392 9c05f48-9c0600a ReadProcessMemory 395 9c06013-9c06065 392->395 396 9c0600c-9c06012 392->396 396->395
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09C05FFA
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 05d2347833054e3c499698810a5a1a8e5687641dbf157d628735f5ec6b346d9a
                                          • Instruction ID: 57bc7073f28afe684d1a6be171e9f6fcbfe400b7036e75bd6a0396d2d7ef8846
                                          • Opcode Fuzzy Hash: 05d2347833054e3c499698810a5a1a8e5687641dbf157d628735f5ec6b346d9a
                                          • Instruction Fuzzy Hash: BC41A8B5D042589FCF10CFAAD980AEEFBB1BB49310F10902AE815B7240D775A955CF68
                                          Function 09C05CC9 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09C05D7A
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 5f40904e7b0d15532412081e87acab000546435aa09802db89012d785768b94f
                                          • Instruction ID: ded744f072060ddec50beabe0c3e6628a87c57ebf1e0aa1ad4be625ec0f9a7dc
                                          • Opcode Fuzzy Hash: 5f40904e7b0d15532412081e87acab000546435aa09802db89012d785768b94f
                                          • Instruction Fuzzy Hash: 1E31B7B9D00248DFDF10CFAAD980A9EFBB1BB49310F10A42AE819B7310D735A902CF54
                                          Function 09C05CD0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09C05D7A
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 65142bc461eed0543914c2f87d1d90bfe7c55b43cb7fade07c37c0ae31a40d06
                                          • Instruction ID: afcdcbb7f7390fe915eda86b3138f2df2fd62ccffdf3969b9e10c82fdaaa8844
                                          • Opcode Fuzzy Hash: 65142bc461eed0543914c2f87d1d90bfe7c55b43cb7fade07c37c0ae31a40d06
                                          • Instruction Fuzzy Hash: 3831A8B9D00259DFDF10CFAAD984ADEFBB1BB49310F10A42AE815B7210D775A901CF58
                                          Function 05A43408 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(?,?,?), ref: 05A43FB2
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2256076204.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5a40000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 9eb8c7b12f401797fafdbdde25592fa92cf96ab4c7739b4dc7154573ab33526c
                                          • Instruction ID: 83da5c66cec482ab365685da60870f99111508b2b7d20e207fa60366252e54a2
                                          • Opcode Fuzzy Hash: 9eb8c7b12f401797fafdbdde25592fa92cf96ab4c7739b4dc7154573ab33526c
                                          • Instruction Fuzzy Hash: C341A7B8D04248DFCF10CFAAD584A9EFBF1BB49310F10902AE918BB210D374A945CF94
                                          Function 05A49C34 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 05A4CF41
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2256076204.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5a40000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: CallProcWindow
                                          • String ID:
                                          • API String ID: 2714655100-0
                                          • Opcode ID: 3b83a2a4528a578e762855a8597c7740f51a48fe5ae7ab2cd2d5a4ff9b6e2f30
                                          • Instruction ID: 95c7f2f1209f189e2d48c8a0a554e3dee5ffe56600b4644e211de9058797599e
                                          • Opcode Fuzzy Hash: 3b83a2a4528a578e762855a8597c7740f51a48fe5ae7ab2cd2d5a4ff9b6e2f30
                                          • Instruction Fuzzy Hash: 9C4117B5901309DFCB14CF99C488EAABBF5FB88324F24C459E519A7321D774A941CFA0
                                          Function 018581F8 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 018582A7
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2246505169.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_1850000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: cfcea85fab38efcea243d605b2a95e696f7e006fafa48bf507fb307ed9acca22
                                          • Instruction ID: 6d9a9cd375ef53dfe8970e4c3ad6b28c07e3dd5d85d9675cd3dfd8b2e0dfe9d9
                                          • Opcode Fuzzy Hash: cfcea85fab38efcea243d605b2a95e696f7e006fafa48bf507fb307ed9acca22
                                          • Instruction Fuzzy Hash: 16319AB9D00258DFCB10CFA9E584AEEFBB1BB49310F24906AE814B7210D375A945CF64
                                          Function 05A43F00 Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(?,?,?), ref: 05A43FB2
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2256076204.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5a40000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 75ec6955858b6fff27ecd4dd8c33a58ec29c3596a8805ace26debfef31a5b635
                                          • Instruction ID: 23a19ec2338aa27d47c806f46e9622deecb0456b31a050ef033e664f9aa46540
                                          • Opcode Fuzzy Hash: 75ec6955858b6fff27ecd4dd8c33a58ec29c3596a8805ace26debfef31a5b635
                                          • Instruction Fuzzy Hash: 6F4186B5D00259DFCF10CFA9D984A9EFBF1BB49310F14946AE818BB210D375A946CF94
                                          Function 09C05BA1 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 09C05C57
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: fae5e94a63e44f6957f1fa63cd7780c99d40681553f220d348db4dff8de3c84e
                                          • Instruction ID: 02a7682d33c6dd58b4c71b08f9b8c9cd84bd1fca48c5150595f734921c80bcef
                                          • Opcode Fuzzy Hash: fae5e94a63e44f6957f1fa63cd7780c99d40681553f220d348db4dff8de3c84e
                                          • Instruction Fuzzy Hash: 4841BDB5D01258DFDB14CFAAD984AEEBBF1BF89310F14802AE419B7240D778A985CF54
                                          Function 09C05BA8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 09C05C57
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 2f7f99e869133268ff9917265bb6c3207b80a2ced764602f3cc04ff0407ade8b
                                          • Instruction ID: de8d2ac34b9a7cc7d506d1141100a673fb24331f6fbcd6da4f28a5eb99104853
                                          • Opcode Fuzzy Hash: 2f7f99e869133268ff9917265bb6c3207b80a2ced764602f3cc04ff0407ade8b
                                          • Instruction Fuzzy Hash: B031ABB5D012589FDB10CFAAD984AEEBBF1BB49310F14802AE419B7240D779A945CF54
                                          Function 01858200 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 018582A7
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2246505169.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_1850000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: f109813e03bca746477a8540b551ae64968db920bf1aa8de57060fd41777b1f8
                                          • Instruction ID: dd8a2aaa84ad62a8c10e15ec0770470b5d515b015b8700d219bcfe87caf1c826
                                          • Opcode Fuzzy Hash: f109813e03bca746477a8540b551ae64968db920bf1aa8de57060fd41777b1f8
                                          • Instruction Fuzzy Hash: C93199B9D042589FCB10CFAAD584ADEFBF0BF49310F24902AE818B7210D375AA45CF64
                                          Function 09C09128 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,?,?,00000000), ref: 09C098AB
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: f1946c997c72115536a07a82d34a970cc7e549d16d2aedd3f875d98d1564cce2
                                          • Instruction ID: 47d00eba3d105610e946452cf91c2b929f468e84dbf0e292c4dddfc445a432aa
                                          • Opcode Fuzzy Hash: f1946c997c72115536a07a82d34a970cc7e549d16d2aedd3f875d98d1564cce2
                                          • Instruction Fuzzy Hash: 303188B9D04248AFCB10CFA9E584ADEFBF4EB49310F14906AE818B7350D375A945CFA4
                                          Function 09C09808 Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,?,?,00000000), ref: 09C098AB
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 8c7e7c359f7f3fa52eb2856b6f47463c30f7aadad469887c3f774632034f627b
                                          • Instruction ID: dd7c106bf70c6a25730198ecf79af592ebfcb726850ebbcf832c5b9c8e8d01ee
                                          • Opcode Fuzzy Hash: 8c7e7c359f7f3fa52eb2856b6f47463c30f7aadad469887c3f774632034f627b
                                          • Instruction Fuzzy Hash: 5D3188B9D002589FCB14CFA9E584ADEFBF0AB49310F24902AE818BB320D375A945CF54
                                          Function 05A43BF8 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(?), ref: 05A43C8A
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2256076204.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5a40000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 4529cf0f035e56eef78421bf4ef6019bcc3f6c5a6ee10c35eac56d35b07ddb3b
                                          • Instruction ID: 4c701d88974cda85551dcb22d832131a188f93350cdaf5cb9d6668cc5b9d918a
                                          • Opcode Fuzzy Hash: 4529cf0f035e56eef78421bf4ef6019bcc3f6c5a6ee10c35eac56d35b07ddb3b
                                          • Instruction Fuzzy Hash: 353197B4D002599FCF14CFAAD584ADEFBF5AB49310F24906AE818B7320D374A945CFA4
                                          Function 09C05678 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 09C056FE
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 7e00c27e86df394048ab1aa4ca7a18ea7fe74a64062b7cf56ca5396cdad32cdb
                                          • Instruction ID: c9cac33c34eb1e4f0141d0834178b5bcbb8990cd760a1d8ff3c8d535e1bc2b66
                                          • Opcode Fuzzy Hash: 7e00c27e86df394048ab1aa4ca7a18ea7fe74a64062b7cf56ca5396cdad32cdb
                                          • Instruction Fuzzy Hash: FA31DCB4D11248DFDF14CFAAE580AEEFBB1AF88310F10902AE415B7210C775A901CF98
                                          Function 09C05680 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ResumeThread.KERNELBASE(?), ref: 09C056FE
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2259054864.0000000009C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 09C00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_9c00000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 5891f1c4199d96ad0314a94142d39ce3c9c52910fe72b67364206d504a3520de
                                          • Instruction ID: 928711315469fa8a04abe8a8869a3932567d70a0196ec18e147f6dec87ba96d2
                                          • Opcode Fuzzy Hash: 5891f1c4199d96ad0314a94142d39ce3c9c52910fe72b67364206d504a3520de
                                          • Instruction Fuzzy Hash: A831CBB4D11258DFDF14CFAAD980A9EFBB4AF49310F10902AE415B7240C775A901CF94
                                          Function 017BD4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2246173528.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_17bd000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: acc5fdfaa5821fd95cfee14628bbcfcb14abd3f2ad94b5dee931556ec78306ef
                                          • Instruction ID: 941890491872b4f212350f3bfd0edb11154dbe2daa9c684edd15180b4809b409
                                          • Opcode Fuzzy Hash: acc5fdfaa5821fd95cfee14628bbcfcb14abd3f2ad94b5dee931556ec78306ef
                                          • Instruction Fuzzy Hash: FE21F1B2504244EFDB25DF54D9C0B66FF65FB8831CF3085A9E9090A256C33AD456CAA1
                                          Function 017CD01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2246239811.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_17cd000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 18e0af3eb7c27f067ddbf116fe83d0afe7ce132bcd5b88a392745f2cf4619d2c
                                          • Instruction ID: 8dc14ece6d7554e193acd64ff23e2e42d3647465bc60f10671f24bf15a1bb323
                                          • Opcode Fuzzy Hash: 18e0af3eb7c27f067ddbf116fe83d0afe7ce132bcd5b88a392745f2cf4619d2c
                                          • Instruction Fuzzy Hash: BA212275604204EFDB25DF58D9C0B26FBA1FB88B14F20C5BDD90A0B252C37AD487CAA1
                                          Function 017BD4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2246173528.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_17bd000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                          • Instruction ID: 0adfeaa3251f90d2f8fd2aff007a5465033a7f400ca16ab5fd753b531799b221
                                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                          • Instruction Fuzzy Hash: 5511DF76404280CFCB12CF54D5C4B56FF72FB84318F24C6A9D8090B256C33AD456CBA1
                                          Function 017CD017 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2246239811.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_17cd000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                          • Instruction ID: 2a67b1dd5a875b21360f959052db8bac78ae9ed31618f979ddc333db749a4ad7
                                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                          • Instruction Fuzzy Hash: 8B11DD75504284DFCB22CF58D5C4B15FFA2FB88714F24C6AED8494B656C33AD44ACBA2
                                          Function 017BD759 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2246173528.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_17bd000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 79844f7e640cdcffb1f6b61039e92af39ddc9d1595b2a3987ccbc9c7a83de0d7
                                          • Instruction ID: eba9387a9f532c1ed6b96a723815bd71e6c36272788c86b5d8ade46f1c271103
                                          • Opcode Fuzzy Hash: 79844f7e640cdcffb1f6b61039e92af39ddc9d1595b2a3987ccbc9c7a83de0d7
                                          • Instruction Fuzzy Hash: E901DB72405384DAF7304AA9DDC4BE6FF98DF41768F18C45AEE094A296C7799440C6B1
                                          Function 017BD758 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2246173528.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_17bd000_QXnCjDPniyIC.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 20c7b510e5eb6dd6eda34fde1d007634704d50005688296f54772c385df0785e
                                          • Instruction ID: 4bb11eee2ae55c7cf0a6bdf70bc1d4c7973cdf490af4ff8acc0733749623dabe
                                          • Opcode Fuzzy Hash: 20c7b510e5eb6dd6eda34fde1d007634704d50005688296f54772c385df0785e
                                          • Instruction Fuzzy Hash: 55F09C724053849EE7218A59DDC4BA2FFA8EF51734F18C45AFD084B287C3799844CBB1

                                          Execution Graph

                                          Execution Coverage:13.3%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:3
                                          Total number of Limit Nodes:0
                                          execution_graph 26804 5d0e290 26805 5d0e2d6 GlobalMemoryStatusEx 26804->26805 26806 5d0e306 26805->26806

                                          Executed Functions

                                          Function 029D9BE8 Relevance: 2.7, Instructions: 2726COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7c4bb8a92964ebdd8cd0b31099bc39ff9fd2341ffef663b22d499f0875c8447f
                                          • Instruction ID: 9a8d8cf130a8f954cfead724e53b226af668327164038fffc2c376a0a0147d7a
                                          • Opcode Fuzzy Hash: 7c4bb8a92964ebdd8cd0b31099bc39ff9fd2341ffef663b22d499f0875c8447f
                                          • Instruction Fuzzy Hash: AC53E731C10B5A8ACB51EF68C880699F7B1FF99300F15D79AE4587B125FB70AAD4CB81
                                          Function 029D9BE2 Relevance: 2.5, Instructions: 2487COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 81d71b92fc16292fb3929e5d5ffd45925f282765ac96d5420473bb4f3fb583f7
                                          • Instruction ID: 2c451e979c4d6f3139fcbdbaa1fb507773fa7c3236f4eb030880ad54652e8077
                                          • Opcode Fuzzy Hash: 81d71b92fc16292fb3929e5d5ffd45925f282765ac96d5420473bb4f3fb583f7
                                          • Instruction Fuzzy Hash: D943E731C10B1A8ADB51EF68C8806A9F7B1FF99300F15D79AE45877125EB70AAD4CF81
                                          Function 029DCDA8 Relevance: 2.3, Instructions: 2309COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b2511e1f904763e37386349c513f639e2786c5920b2dc4df5064b952b76e87ae
                                          • Instruction ID: bc49e61b5e4b4a72108d6eb40745992960d343dd4e8cf3dcd3839152406c3f81
                                          • Opcode Fuzzy Hash: b2511e1f904763e37386349c513f639e2786c5920b2dc4df5064b952b76e87ae
                                          • Instruction Fuzzy Hash: DD331031D1071A8EDB11DF68C8806ADF7B1FF99300F15D79AD459AB211EB70AAC5CB81
                                          Function 029D9378 Relevance: .6, Instructions: 613COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 92fddc404df35feb2aba0c6de1df38a1516cc07d39446921583df09c4e3489e8
                                          • Instruction ID: fde609163adfc7d54672ddc0f6f4fd21b1d2869fa9003632f57c380f447da136
                                          • Opcode Fuzzy Hash: 92fddc404df35feb2aba0c6de1df38a1516cc07d39446921583df09c4e3489e8
                                          • Instruction Fuzzy Hash: 8D227D35A002058FEB14EF68D984BADBBB6FF88314F248569E909EB395DB74DC41CB50
                                          Function 029D4A98 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3840 29d4a98-29d4afe 3842 29d4b48-29d4b4a 3840->3842 3843 29d4b00-29d4b0b 3840->3843 3844 29d4b4c-29d4b65 3842->3844 3843->3842 3845 29d4b0d-29d4b19 3843->3845 3852 29d4b67-29d4b73 3844->3852 3853 29d4bb1-29d4bb3 3844->3853 3846 29d4b3c-29d4b46 3845->3846 3847 29d4b1b-29d4b25 3845->3847 3846->3844 3848 29d4b29-29d4b38 3847->3848 3849 29d4b27 3847->3849 3848->3848 3851 29d4b3a 3848->3851 3849->3848 3851->3846 3852->3853 3855 29d4b75-29d4b81 3852->3855 3854 29d4bb5-29d4bcd 3853->3854 3861 29d4bcf-29d4bda 3854->3861 3862 29d4c17-29d4c19 3854->3862 3856 29d4ba4-29d4baf 3855->3856 3857 29d4b83-29d4b8d 3855->3857 3856->3854 3859 29d4b8f 3857->3859 3860 29d4b91-29d4ba0 3857->3860 3859->3860 3860->3860 3863 29d4ba2 3860->3863 3861->3862 3864 29d4bdc-29d4be8 3861->3864 3865 29d4c1b-29d4c33 3862->3865 3863->3856 3866 29d4c0b-29d4c15 3864->3866 3867 29d4bea-29d4bf4 3864->3867 3872 29d4c7d-29d4c7f 3865->3872 3873 29d4c35-29d4c40 3865->3873 3866->3865 3868 29d4bf8-29d4c07 3867->3868 3869 29d4bf6 3867->3869 3868->3868 3871 29d4c09 3868->3871 3869->3868 3871->3866 3875 29d4c81-29d4cf4 3872->3875 3873->3872 3874 29d4c42-29d4c4e 3873->3874 3876 29d4c71-29d4c7b 3874->3876 3877 29d4c50-29d4c5a 3874->3877 3884 29d4cfa-29d4d08 3875->3884 3876->3875 3878 29d4c5c 3877->3878 3879 29d4c5e-29d4c6d 3877->3879 3878->3879 3879->3879 3881 29d4c6f 3879->3881 3881->3876 3885 29d4d0a-29d4d10 3884->3885 3886 29d4d11-29d4d71 3884->3886 3885->3886 3893 29d4d81-29d4d85 3886->3893 3894 29d4d73-29d4d77 3886->3894 3895 29d4d95-29d4d99 3893->3895 3896 29d4d87-29d4d8b 3893->3896 3894->3893 3897 29d4d79 3894->3897 3899 29d4da9-29d4dad 3895->3899 3900 29d4d9b-29d4d9f 3895->3900 3896->3895 3898 29d4d8d 3896->3898 3897->3893 3898->3895 3902 29d4dbd-29d4dc1 3899->3902 3903 29d4daf-29d4db3 3899->3903 3900->3899 3901 29d4da1 3900->3901 3901->3899 3905 29d4dd1-29d4dd5 3902->3905 3906 29d4dc3-29d4dc7 3902->3906 3903->3902 3904 29d4db5 3903->3904 3904->3902 3907 29d4de5 3905->3907 3908 29d4dd7-29d4ddb 3905->3908 3906->3905 3909 29d4dc9-29d4dcc call 29d0ab8 3906->3909 3913 29d4de6 3907->3913 3908->3907 3910 29d4ddd-29d4de0 call 29d0ab8 3908->3910 3909->3905 3910->3907 3913->3913
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 431e69180a9081ce68fe0fcba3df5fb6a62c6b7dd3d3855135e680e9ce78ffdb
                                          • Instruction ID: db0dbdcf866c91b5767b442af0e7a0c2c31624fa3f887c7886ae36f5b756fbee
                                          • Opcode Fuzzy Hash: 431e69180a9081ce68fe0fcba3df5fb6a62c6b7dd3d3855135e680e9ce78ffdb
                                          • Instruction Fuzzy Hash: 0DB15A70E002098FDF10CFA9C8857EDBBF6AF88314F14E529D815AB294EB749845DF81
                                          Function 029D3E80 Relevance: .2, Instructions: 238COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 4193 29d3e80-29d3ee6 4195 29d3ee8-29d3ef3 4193->4195 4196 29d3f30-29d3f32 4193->4196 4195->4196 4197 29d3ef5-29d3f01 4195->4197 4198 29d3f34-29d3f8c 4196->4198 4199 29d3f24-29d3f2e 4197->4199 4200 29d3f03-29d3f0d 4197->4200 4207 29d3f8e-29d3f99 4198->4207 4208 29d3fd6-29d3fd8 4198->4208 4199->4198 4202 29d3f0f 4200->4202 4203 29d3f11-29d3f20 4200->4203 4202->4203 4203->4203 4204 29d3f22 4203->4204 4204->4199 4207->4208 4209 29d3f9b-29d3fa7 4207->4209 4210 29d3fda-29d3ff2 4208->4210 4211 29d3fa9-29d3fb3 4209->4211 4212 29d3fca-29d3fd4 4209->4212 4216 29d403c-29d403e 4210->4216 4217 29d3ff4-29d3fff 4210->4217 4213 29d3fb5 4211->4213 4214 29d3fb7-29d3fc6 4211->4214 4212->4210 4213->4214 4214->4214 4218 29d3fc8 4214->4218 4220 29d4040-29d408e 4216->4220 4217->4216 4219 29d4001-29d400d 4217->4219 4218->4212 4221 29d400f-29d4019 4219->4221 4222 29d4030-29d403a 4219->4222 4228 29d4094-29d40a2 4220->4228 4223 29d401d-29d402c 4221->4223 4224 29d401b 4221->4224 4222->4220 4223->4223 4226 29d402e 4223->4226 4224->4223 4226->4222 4229 29d40ab-29d410b 4228->4229 4230 29d40a4-29d40aa 4228->4230 4237 29d410d-29d4111 4229->4237 4238 29d411b-29d411f 4229->4238 4230->4229 4237->4238 4239 29d4113 4237->4239 4240 29d412f-29d4133 4238->4240 4241 29d4121-29d4125 4238->4241 4239->4238 4243 29d4135-29d4139 4240->4243 4244 29d4143-29d4147 4240->4244 4241->4240 4242 29d4127-29d412a call 29d0ab8 4241->4242 4242->4240 4243->4244 4246 29d413b-29d413e call 29d0ab8 4243->4246 4247 29d4149-29d414d 4244->4247 4248 29d4157-29d415b 4244->4248 4246->4244 4247->4248 4250 29d414f-29d4152 call 29d0ab8 4247->4250 4251 29d415d-29d4161 4248->4251 4252 29d416b-29d416f 4248->4252 4250->4248 4251->4252 4254 29d4163 4251->4254 4255 29d417f 4252->4255 4256 29d4171-29d4175 4252->4256 4254->4252 4258 29d4180 4255->4258 4256->4255 4257 29d4177 4256->4257 4257->4255 4258->4258
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b31a27042fcffc3f66dfad61bf2572ca0a81a77e297344f05b2272c588e8cdf0
                                          • Instruction ID: e19d0f1536833f687942545e6bc2a2d5c98dfc4a8b8b659bfb809724ca433fd1
                                          • Opcode Fuzzy Hash: b31a27042fcffc3f66dfad61bf2572ca0a81a77e297344f05b2272c588e8cdf0
                                          • Instruction Fuzzy Hash: 10916970E00209DFEF10CFA9C9857AEBBF2AF98304F14D129E405AB294EB749845DF81
                                          Function 05D0E277 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1503 5d0e277-5d0e2ce 1506 5d0e2d6-5d0e304 GlobalMemoryStatusEx 1503->1506 1507 5d0e306-5d0e30c 1506->1507 1508 5d0e30d-5d0e335 1506->1508 1507->1508
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 05D0E2F7
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3314041524.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5d00000_RegSvcs.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: a910e3ed077e6008f50f0895c9e2c73b62553859d8cd18f74ea206950276a737
                                          • Instruction ID: 6c19b40009a5ffd14abaff4d92baf5ff957be147f0fd08e64a54a6fbdc648472
                                          • Opcode Fuzzy Hash: a910e3ed077e6008f50f0895c9e2c73b62553859d8cd18f74ea206950276a737
                                          • Instruction Fuzzy Hash: C62136B2C0425ADFCB10CFAAD544BDEFBF4EF48220F14856AD518A7241D378A955CFA1
                                          Function 05D0E290 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1511 5d0e290-5d0e304 GlobalMemoryStatusEx 1513 5d0e306-5d0e30c 1511->1513 1514 5d0e30d-5d0e335 1511->1514 1513->1514
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 05D0E2F7
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3314041524.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_5d00000_RegSvcs.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 18bfb42fc0e5df92689a17a7e850080cb222f8e9a3a0489af26d68885129e8dc
                                          • Instruction ID: 9d3469c2842af359f99ad88ba42d244598b32f700135b9fe442ec5e55d3ccfad
                                          • Opcode Fuzzy Hash: 18bfb42fc0e5df92689a17a7e850080cb222f8e9a3a0489af26d68885129e8dc
                                          • Instruction Fuzzy Hash: B51112B1C0065A9BCB10CF9AD544B9EFBF4BF48220F10852AD918A7240D3B8A950CFA1
                                          Function 029D790A Relevance: .6, Instructions: 553COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3047 29d790a-29d791f 3048 29d7921-29d7924 3047->3048 3049 29d7926-29d793c 3048->3049 3050 29d7941-29d7944 3048->3050 3049->3050 3051 29d7946-29d796c 3050->3051 3052 29d7971-29d7974 3050->3052 3051->3052 3053 29d7976-29d799c 3052->3053 3054 29d79a1-29d79a4 3052->3054 3053->3054 3056 29d79a6-29d79cc 3054->3056 3057 29d79d1-29d79d4 3054->3057 3056->3057 3059 29d79d6-29d79fc 3057->3059 3060 29d7a01-29d7a04 3057->3060 3059->3060 3063 29d7a06-29d7a2c 3060->3063 3064 29d7a31-29d7a34 3060->3064 3063->3064 3067 29d7a36-29d7a5c 3064->3067 3068 29d7a61-29d7a64 3064->3068 3067->3068 3071 29d7a66-29d7a8c 3068->3071 3072 29d7a91-29d7a94 3068->3072 3071->3072 3076 29d7a96-29d7abc 3072->3076 3077 29d7ac1-29d7ac4 3072->3077 3076->3077 3081 29d7ac6-29d7aec 3077->3081 3082 29d7af1-29d7af4 3077->3082 3081->3082 3086 29d7b05-29d7b08 3082->3086 3087 29d7af6-29d7af8 3082->3087 3094 29d7b0a-29d7b30 3086->3094 3095 29d7b35-29d7b38 3086->3095 3261 29d7afa call 29d9150 3087->3261 3262 29d7afa call 29d9160 3087->3262 3263 29d7afa call 29d9203 3087->3263 3094->3095 3096 29d7b3a-29d7b60 3095->3096 3097 29d7b65-29d7b68 3095->3097 3096->3097 3103 29d7b6a-29d7b90 3097->3103 3104 29d7b95-29d7b98 3097->3104 3098 29d7b00 3098->3086 3103->3104 3106 29d7b9a-29d7bc0 3104->3106 3107 29d7bc5-29d7bc8 3104->3107 3106->3107 3112 29d7bca-29d7bf0 3107->3112 3113 29d7bf5-29d7bf8 3107->3113 3112->3113 3115 29d7bfa-29d7c0e 3113->3115 3116 29d7c13-29d7c16 3113->3116 3115->3116 3121 29d7c18-29d7c3e 3116->3121 3122 29d7c43-29d7c46 3116->3122 3121->3122 3124 29d7c48-29d7c6e 3122->3124 3125 29d7c73-29d7c76 3122->3125 3124->3125 3131 29d7c78-29d7c9e 3125->3131 3132 29d7ca3-29d7ca6 3125->3132 3131->3132 3134 29d7ca8-29d7cce 3132->3134 3135 29d7cd3-29d7cd6 3132->3135 3134->3135 3140 29d7cd8-29d7cfe 3135->3140 3141 29d7d03-29d7d06 3135->3141 3140->3141 3144 29d7d08-29d7d2e 3141->3144 3145 29d7d33-29d7d36 3141->3145 3144->3145 3149 29d7d38-29d7d5e 3145->3149 3150 29d7d63-29d7d66 3145->3150 3149->3150 3153 29d7d68-29d7d8e 3150->3153 3154 29d7d93-29d7d96 3150->3154 3153->3154 3159 29d7d98-29d7dbe 3154->3159 3160 29d7dc3-29d7dc6 3154->3160 3159->3160 3163 29d7dc8-29d7dee 3160->3163 3164 29d7df3-29d7df6 3160->3164 3163->3164 3169 29d7df8-29d7e1e 3164->3169 3170 29d7e23-29d7e26 3164->3170 3169->3170 3173 29d7e28-29d7e4e 3170->3173 3174 29d7e53-29d7e56 3170->3174 3173->3174 3179 29d7e58-29d7e7e 3174->3179 3180 29d7e83-29d7e86 3174->3180 3179->3180 3183 29d7e88-29d7eae 3180->3183 3184 29d7eb3-29d7eb6 3180->3184 3183->3184 3189 29d7eb8-29d7ede 3184->3189 3190 29d7ee3-29d7ee6 3184->3190 3189->3190 3193 29d7ee8-29d7f0e 3190->3193 3194 29d7f13-29d7f16 3190->3194 3193->3194 3199 29d7f18-29d7f3e 3194->3199 3200 29d7f43-29d7f46 3194->3200 3199->3200 3203 29d7f48-29d7f6e 3200->3203 3204 29d7f73-29d7f76 3200->3204 3203->3204 3209 29d7f78-29d7f9e 3204->3209 3210 29d7fa3-29d7fa6 3204->3210 3209->3210 3213 29d7fa8-29d7fce 3210->3213 3214 29d7fd3-29d7fd6 3210->3214 3213->3214 3219 29d7fd8-29d7ffe 3214->3219 3220 29d8003-29d8006 3214->3220 3219->3220 3223 29d8008-29d802e 3220->3223 3224 29d8033-29d8036 3220->3224 3223->3224 3229 29d8038-29d805e 3224->3229 3230 29d8063-29d8066 3224->3230 3229->3230 3233 29d8068-29d808e 3230->3233 3234 29d8093-29d8096 3230->3234 3233->3234 3239 29d8098-29d80be 3234->3239 3240 29d80c3-29d80c6 3234->3240 3239->3240 3243 29d80c8 3240->3243 3244 29d80d3-29d80d5 3240->3244 3253 29d80ce 3243->3253 3249 29d80dc-29d80df 3244->3249 3250 29d80d7 3244->3250 3249->3048 3255 29d80e5-29d80eb 3249->3255 3250->3249 3253->3244 3261->3098 3262->3098 3263->3098
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 916a71a762fe6417b8d7c085e9f6fc36b848bd3294ad22ccb0b191cb69333ca4
                                          • Instruction ID: 9319c7e9aa9d229d1a63b863c25fd01f6893faec5b0bb5bbe9d81c23ec231a44
                                          • Opcode Fuzzy Hash: 916a71a762fe6417b8d7c085e9f6fc36b848bd3294ad22ccb0b191cb69333ca4
                                          • Instruction Fuzzy Hash: 20125A30B00202DBDB29AA7CE8C476876A7FBC5315F608A2DE105DB755CF79E8479B90
                                          Function 029D4A8C Relevance: .3, Instructions: 262COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3914 29d4a8c-29d4afe 3916 29d4b48-29d4b4a 3914->3916 3917 29d4b00-29d4b0b 3914->3917 3918 29d4b4c-29d4b65 3916->3918 3917->3916 3919 29d4b0d-29d4b19 3917->3919 3926 29d4b67-29d4b73 3918->3926 3927 29d4bb1-29d4bb3 3918->3927 3920 29d4b3c-29d4b46 3919->3920 3921 29d4b1b-29d4b25 3919->3921 3920->3918 3922 29d4b29-29d4b38 3921->3922 3923 29d4b27 3921->3923 3922->3922 3925 29d4b3a 3922->3925 3923->3922 3925->3920 3926->3927 3929 29d4b75-29d4b81 3926->3929 3928 29d4bb5-29d4bcd 3927->3928 3935 29d4bcf-29d4bda 3928->3935 3936 29d4c17-29d4c19 3928->3936 3930 29d4ba4-29d4baf 3929->3930 3931 29d4b83-29d4b8d 3929->3931 3930->3928 3933 29d4b8f 3931->3933 3934 29d4b91-29d4ba0 3931->3934 3933->3934 3934->3934 3937 29d4ba2 3934->3937 3935->3936 3938 29d4bdc-29d4be8 3935->3938 3939 29d4c1b-29d4c33 3936->3939 3937->3930 3940 29d4c0b-29d4c15 3938->3940 3941 29d4bea-29d4bf4 3938->3941 3946 29d4c7d-29d4c7f 3939->3946 3947 29d4c35-29d4c40 3939->3947 3940->3939 3942 29d4bf8-29d4c07 3941->3942 3943 29d4bf6 3941->3943 3942->3942 3945 29d4c09 3942->3945 3943->3942 3945->3940 3949 29d4c81-29d4cb7 3946->3949 3947->3946 3948 29d4c42-29d4c4e 3947->3948 3950 29d4c71-29d4c7b 3948->3950 3951 29d4c50-29d4c5a 3948->3951 3957 29d4cbf-29d4cf4 3949->3957 3950->3949 3952 29d4c5c 3951->3952 3953 29d4c5e-29d4c6d 3951->3953 3952->3953 3953->3953 3955 29d4c6f 3953->3955 3955->3950 3958 29d4cfa-29d4d08 3957->3958 3959 29d4d0a-29d4d10 3958->3959 3960 29d4d11-29d4d71 3958->3960 3959->3960 3967 29d4d81-29d4d85 3960->3967 3968 29d4d73-29d4d77 3960->3968 3969 29d4d95-29d4d99 3967->3969 3970 29d4d87-29d4d8b 3967->3970 3968->3967 3971 29d4d79 3968->3971 3973 29d4da9-29d4dad 3969->3973 3974 29d4d9b-29d4d9f 3969->3974 3970->3969 3972 29d4d8d 3970->3972 3971->3967 3972->3969 3976 29d4dbd-29d4dc1 3973->3976 3977 29d4daf-29d4db3 3973->3977 3974->3973 3975 29d4da1 3974->3975 3975->3973 3979 29d4dd1-29d4dd5 3976->3979 3980 29d4dc3-29d4dc7 3976->3980 3977->3976 3978 29d4db5 3977->3978 3978->3976 3981 29d4de5 3979->3981 3982 29d4dd7-29d4ddb 3979->3982 3980->3979 3983 29d4dc9-29d4dcc call 29d0ab8 3980->3983 3987 29d4de6 3981->3987 3982->3981 3984 29d4ddd-29d4de0 call 29d0ab8 3982->3984 3983->3979 3984->3981 3987->3987
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7ba5c43b0f73d4da8bf9d583b415d3a618b487ddb5ff560b5d4d388f92fbaf18
                                          • Instruction ID: fa6237900f2ddda4d55c991e8d4a4c660e161a93d3e84627a872148b74a9fd99
                                          • Opcode Fuzzy Hash: 7ba5c43b0f73d4da8bf9d583b415d3a618b487ddb5ff560b5d4d388f92fbaf18
                                          • Instruction Fuzzy Hash: 86A16A70E002098FDF10CFA8C8857DDBBF6AF88314F14E529D819AB254EB749845DF91
                                          Function 029D9364 Relevance: .2, Instructions: 242COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ebfa9533d5185abd2284745b3b70d01fc16a4b2da40020c904a41bbfe299516b
                                          • Instruction ID: b88c2ed38e9ae44f2446cb8f32814c5291f6c37a44b2163bfedc8198bb536573
                                          • Opcode Fuzzy Hash: ebfa9533d5185abd2284745b3b70d01fc16a4b2da40020c904a41bbfe299516b
                                          • Instruction Fuzzy Hash: E8914B39A00114DFEB18EF68D984AADBBF6EF88314F148429E905EB355DB35EC42DB50
                                          Function 029D3E74 Relevance: .2, Instructions: 234COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 4259 29d3e74-29d3ee6 4261 29d3ee8-29d3ef3 4259->4261 4262 29d3f30-29d3f32 4259->4262 4261->4262 4263 29d3ef5-29d3f01 4261->4263 4264 29d3f34-29d3f8c 4262->4264 4265 29d3f24-29d3f2e 4263->4265 4266 29d3f03-29d3f0d 4263->4266 4273 29d3f8e-29d3f99 4264->4273 4274 29d3fd6-29d3fd8 4264->4274 4265->4264 4268 29d3f0f 4266->4268 4269 29d3f11-29d3f20 4266->4269 4268->4269 4269->4269 4270 29d3f22 4269->4270 4270->4265 4273->4274 4275 29d3f9b-29d3fa7 4273->4275 4276 29d3fda-29d3ff2 4274->4276 4277 29d3fa9-29d3fb3 4275->4277 4278 29d3fca-29d3fd4 4275->4278 4282 29d403c-29d403e 4276->4282 4283 29d3ff4-29d3fff 4276->4283 4279 29d3fb5 4277->4279 4280 29d3fb7-29d3fc6 4277->4280 4278->4276 4279->4280 4280->4280 4284 29d3fc8 4280->4284 4286 29d4040-29d4052 4282->4286 4283->4282 4285 29d4001-29d400d 4283->4285 4284->4278 4287 29d400f-29d4019 4285->4287 4288 29d4030-29d403a 4285->4288 4293 29d4059-29d408e 4286->4293 4289 29d401d-29d402c 4287->4289 4290 29d401b 4287->4290 4288->4286 4289->4289 4292 29d402e 4289->4292 4290->4289 4292->4288 4294 29d4094-29d40a2 4293->4294 4295 29d40ab-29d410b 4294->4295 4296 29d40a4-29d40aa 4294->4296 4303 29d410d-29d4111 4295->4303 4304 29d411b-29d411f 4295->4304 4296->4295 4303->4304 4305 29d4113 4303->4305 4306 29d412f-29d4133 4304->4306 4307 29d4121-29d4125 4304->4307 4305->4304 4309 29d4135-29d4139 4306->4309 4310 29d4143-29d4147 4306->4310 4307->4306 4308 29d4127-29d412a call 29d0ab8 4307->4308 4308->4306 4309->4310 4312 29d413b-29d413e call 29d0ab8 4309->4312 4313 29d4149-29d414d 4310->4313 4314 29d4157-29d415b 4310->4314 4312->4310 4313->4314 4316 29d414f-29d4152 call 29d0ab8 4313->4316 4317 29d415d-29d4161 4314->4317 4318 29d416b-29d416f 4314->4318 4316->4314 4317->4318 4320 29d4163 4317->4320 4321 29d417f 4318->4321 4322 29d4171-29d4175 4318->4322 4320->4318 4324 29d4180 4321->4324 4322->4321 4323 29d4177 4322->4323 4323->4321 4324->4324
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bee3e33a020d5969156f59cbfdaf2a07b37f4cbffd9cfcdc3f3d6ebe75f3f9c8
                                          • Instruction ID: df88ddbba1d33581705571b3f1ce46967a98c022eb808cb0f0bbdddf9ab0d1d4
                                          • Opcode Fuzzy Hash: bee3e33a020d5969156f59cbfdaf2a07b37f4cbffd9cfcdc3f3d6ebe75f3f9c8
                                          • Instruction Fuzzy Hash: FB915970E0024ADFEF10CFA8D9857DEBBF2AF98304F149129E415AB294EB749845DF91
                                          Function 029D4804 Relevance: .2, Instructions: 181COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7cf2e368ccbbb33394e1293226d2927b013f2c8b24c23bad1741d8a05601d624
                                          • Instruction ID: 93dd209c482cf9eefc74df64decd729aea07bc5e4cd0fd00916f50413254bcd6
                                          • Opcode Fuzzy Hash: 7cf2e368ccbbb33394e1293226d2927b013f2c8b24c23bad1741d8a05601d624
                                          • Instruction Fuzzy Hash: 287156B0E002498FDF10CFA9C98479EBBF6BF88714F14D129E419AB254EB749842DF95
                                          Function 029D4810 Relevance: .2, Instructions: 180COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 87865459295eb03a0480ba273b81882b6d8e97ee67ba42aed08a0f3544d2347e
                                          • Instruction ID: e43bb6e07d01080836ef6915c80667b1e0a6a96b5c37c69ade33401ac64b3cfa
                                          • Opcode Fuzzy Hash: 87865459295eb03a0480ba273b81882b6d8e97ee67ba42aed08a0f3544d2347e
                                          • Instruction Fuzzy Hash: 517167B0E002498FDF10CFA9C98479EBBF6BF88714F14D129E419AB254EB749841DF85
                                          Function 029D6ED7 Relevance: .1, Instructions: 145COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bb00275e36a9c9b3cba7bc8a6955f32abaeb72e20659370ec2ffbcab23cd1f4
                                          • Instruction ID: 34d84c4313b04835c87c81445e0d2594e29d93b00a7907b8b0e4ad138148af53
                                          • Opcode Fuzzy Hash: 6bb00275e36a9c9b3cba7bc8a6955f32abaeb72e20659370ec2ffbcab23cd1f4
                                          • Instruction Fuzzy Hash: CB51C030E012559FEB28DFB8D49079EB7B6EF85310F10856AE405EB290EB75D943CB90
                                          Function 029D6CDD Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf15b026966c8ac292639cacb4a1f6339193d96c76853fb4f3532ebf0cf641b1
                                          • Instruction ID: 3527ce522227747523ffe61d26ae95c518e82f48aab4b4e20cd765ae0ee41906
                                          • Opcode Fuzzy Hash: bf15b026966c8ac292639cacb4a1f6339193d96c76853fb4f3532ebf0cf641b1
                                          • Instruction Fuzzy Hash: B4510375D002588FDB18CFA9E884B9DBBF5BF48314F14852AE815BB391D774A844CF94
                                          Function 029D6CE8 Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 501d8f7c45f7fa2482bff13585eabce8f1808dd9924d67156097eb2cea987787
                                          • Instruction ID: d5a97c7b9e0dd33f3390cadb5a62783937cc5f7a1ba3198af8125a9a6876b20b
                                          • Opcode Fuzzy Hash: 501d8f7c45f7fa2482bff13585eabce8f1808dd9924d67156097eb2cea987787
                                          • Instruction Fuzzy Hash: 86510471D002588FDB14CFA9E884B9EBBF9BF48314F14851AE815BB351DB74A844CF95
                                          Function 029D112A Relevance: .1, Instructions: 113COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c8900dd67b39171d7a963ab2b692e41cab49e29faec7a9b81dc1fb47b8dae58d
                                          • Instruction ID: 90845b78e095d67bdf74473181ca84d3318ea0d27116a6e632df611c4ccde549
                                          • Opcode Fuzzy Hash: c8900dd67b39171d7a963ab2b692e41cab49e29faec7a9b81dc1fb47b8dae58d
                                          • Instruction Fuzzy Hash: EE51CA35205146CFDB6AEF2CF980F653FA2FBB6305700996DD5046B2BADA742907DB80
                                          Function 029D1138 Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 693f40ab4f0b6419882bf3612b1cd2b2f74e689b4d4e1adf87b2b9503c2614b9
                                          • Instruction ID: d3a54cfa65d0002033e1d8d669ceeda16934dd313695b2becba2d8914eeeaf7b
                                          • Opcode Fuzzy Hash: 693f40ab4f0b6419882bf3612b1cd2b2f74e689b4d4e1adf87b2b9503c2614b9
                                          • Instruction Fuzzy Hash: 7851C934205146CFDB6AFF2CF980F653FA2FBB6305300996DD5046B2BADA746906DB80
                                          Function 029DF2CD Relevance: .1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6f0b02eb7f04138ae89aee4666d9eb7a4bc0936d7e69e739785c8c68c74b4ab
                                          • Instruction ID: f7a2bee142645768c0365a30883b45ffaae7cba414965ef6867f504083743fa5
                                          • Opcode Fuzzy Hash: c6f0b02eb7f04138ae89aee4666d9eb7a4bc0936d7e69e739785c8c68c74b4ab
                                          • Instruction Fuzzy Hash: 47311E31B002018FDB09AB34C4957AE7BA6EF89740F548428C007DB385DF38CC46DB90
                                          Function 029D96E0 Relevance: .1, Instructions: 107COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 49afbae86221dc2f9e2ec58c48a822576dece48fa85d0e8966480496ff5a8e26
                                          • Instruction ID: 12bd09cb8908aea5af6561ecccdcdcc3622c23c8997edbd790a366b8e5767fc6
                                          • Opcode Fuzzy Hash: 49afbae86221dc2f9e2ec58c48a822576dece48fa85d0e8966480496ff5a8e26
                                          • Instruction Fuzzy Hash: E1319575B011458BEF64EF68D4C077EB3BAFB86650F604829D506DB390DB34DD419B81
                                          Function 029DF2E0 Relevance: .1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5237655e1a34190ea50ae7dbc78294a778bba539fc1d09c302c1ba4334fc78b7
                                          • Instruction ID: d9dfd37ee41dea3e27bf51c5459415f893f6a711a2ba8031b57aca5a0b948b91
                                          • Opcode Fuzzy Hash: 5237655e1a34190ea50ae7dbc78294a778bba539fc1d09c302c1ba4334fc78b7
                                          • Instruction Fuzzy Hash: 4B31EB31B002058BDB18AB38C45566E7BAAAF89784F648428D407DB385EF39DC42DBD0
                                          Function 029DF190 Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f8bca896cc6f4d41893fae2b6e9098b5ee96663da016b942424642ab908267d9
                                          • Instruction ID: 6e91e1d31e3818ab64cda6d289825ed7e580250358c5fea6e77e6a41851ebdb2
                                          • Opcode Fuzzy Hash: f8bca896cc6f4d41893fae2b6e9098b5ee96663da016b942424642ab908267d9
                                          • Instruction Fuzzy Hash: 83318F79E002068BDB19CFA8D89579EB7B6FF89304F10C519E906EB740DB70AC46CB80
                                          Function 029D6F78 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b7a9ac01a7e8f2447bb676f905a9e05fd2f815bd08ef7bac3e4b368c122ef7b9
                                          • Instruction ID: 4f2f13a9e4b944796f72626af013311244b6e5a3b9a2bdd1e722acabe49df894
                                          • Opcode Fuzzy Hash: b7a9ac01a7e8f2447bb676f905a9e05fd2f815bd08ef7bac3e4b368c122ef7b9
                                          • Instruction Fuzzy Hash: D0314F31E106199BDB24CFA8D484BDEF7BAEF85310F50C525E806FB280EB71A942DB50
                                          Function 029D26DD Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6536a547e5d2885c7ee5a5e5418a6009bb02c64eea756b8e753602407fff67ce
                                          • Instruction ID: 43b4a8a82e271aa47898d2bbca82ab78d9d5b1f1bae914eece7643ddde7986e7
                                          • Opcode Fuzzy Hash: 6536a547e5d2885c7ee5a5e5418a6009bb02c64eea756b8e753602407fff67ce
                                          • Instruction Fuzzy Hash: C141FEB4D00349DFEB10DFA9C984ADEBBF5FF48314F148429E809AB254DB75A945CB90
                                          Function 029DF1A0 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 71967311364006f111c0eac03688fb93c2b64483e13061c9ed756374bcbbc477
                                          • Instruction ID: 4c5c31504805de20ad9cfb0c6cc44104649cf81fe57d1bf20600a04f7a62bebe
                                          • Opcode Fuzzy Hash: 71967311364006f111c0eac03688fb93c2b64483e13061c9ed756374bcbbc477
                                          • Instruction Fuzzy Hash: 62314B35A102469BDB19CFA9D895A9EB7B6FF89300F10C919E906E7740DF70AC46CB90
                                          Function 029D26E8 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2db42ddd17d9df2d13868932ac86538ee47c8cf5fd535f86ac8560ec25c17ff2
                                          • Instruction ID: a8c8991f08f0aec2c48f8c143c5bb85205f9fb064bf6ccbc7f9d26064fe1e7fa
                                          • Opcode Fuzzy Hash: 2db42ddd17d9df2d13868932ac86538ee47c8cf5fd535f86ac8560ec25c17ff2
                                          • Instruction Fuzzy Hash: E441DCB0D0034DDFEB10DFA9C984A9EBBF5FF48714F248429E809AB254DB75A945CB90
                                          Function 029D1488 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad8d8bf658847c099743a717906b1151a7e585de87bd775872c58ef9b9a48ad6
                                          • Instruction ID: c0659396b493564bc7219e4e5907eb20cbfc8a0b33c9b7f99ca4beb1d6e6eb73
                                          • Opcode Fuzzy Hash: ad8d8bf658847c099743a717906b1151a7e585de87bd775872c58ef9b9a48ad6
                                          • Instruction Fuzzy Hash: F421B672A002508FCF21ABB899543BE7BB6EB56325F1484BAD40ED7341D735E842DB91
                                          Function 029D9250 Relevance: .1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7d12d7179b9ddb605eea2c3da45f1077faa404a66475da379dc2a02791c124ec
                                          • Instruction ID: 7d2ef9e2cb311fb01fa52f3480343098f8cac38b6368bf92f283f2256d546ece
                                          • Opcode Fuzzy Hash: 7d12d7179b9ddb605eea2c3da45f1077faa404a66475da379dc2a02791c124ec
                                          • Instruction Fuzzy Hash: 7C318F35E002469BEB15EFA9D4907DEFBB6FF89304F10C519E905AB384DB709846CB90
                                          Function 029D9260 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d25cefcfcd9af9b0602493546c3d3805cf6674e172ef6e44a1eff633d285806
                                          • Instruction ID: c87ef0efff696522b5f3694897241c134f28738cb7bcbc2b8c6947cfb10192b3
                                          • Opcode Fuzzy Hash: 9d25cefcfcd9af9b0602493546c3d3805cf6674e172ef6e44a1eff633d285806
                                          • Instruction Fuzzy Hash: 7C218331E0020A9BEB15DFA9D49479EF7B6FF89304F50C519E905EB384DB709846CB90
                                          Function 029D9150 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 75e8cd95b847dc55a1edb810ccfaba34da72d86c5bf9839843916ab2fb1bdf00
                                          • Instruction ID: 3b37c302dc8453587e08a0b1af603b9e3ee6e1a4e5fcf9d4ff91863c0ae69e5a
                                          • Opcode Fuzzy Hash: 75e8cd95b847dc55a1edb810ccfaba34da72d86c5bf9839843916ab2fb1bdf00
                                          • Instruction Fuzzy Hash: F8217135E00206CBEB18DFA4D4947DEF7B6AF89304F10C61AE916BB350DB709946CB50
                                          Function 029D169F Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 72259eb4704b9fbcf1627873e063baf89cf7bc8b4b86866dbd6b17a82688aa5f
                                          • Instruction ID: aa3ef2fe46d4ced196b0bede517e30d4e703da6ee2a663ceacf8908c04803a11
                                          • Opcode Fuzzy Hash: 72259eb4704b9fbcf1627873e063baf89cf7bc8b4b86866dbd6b17a82688aa5f
                                          • Instruction Fuzzy Hash: ED21AA39A011418FEF26E738F9847293B66EB95314F109969D00EC72AADF7CD843CB91
                                          Function 029D6BA1 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ea8f62265beba36082621f8364f54fbba49b9cf121b4b821c8bf01114f4d4dd
                                          • Instruction ID: f154717fe4288a240b6f28e59a1993a185aa3ed266162e537b379cb14b4fc3a3
                                          • Opcode Fuzzy Hash: 5ea8f62265beba36082621f8364f54fbba49b9cf121b4b821c8bf01114f4d4dd
                                          • Instruction Fuzzy Hash: 8F2105707092909FC716FB3CE4606AE7FB6EF86310B00449ED141CB2A6DE798C478791
                                          Function 029D4F89 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d8aa7635fef7005ac0be90b9b58ac98b9f8cab773c0eee663ca92a3789595657
                                          • Instruction ID: 9b15f2f6b12c435cad7a50c1279cd0bc716629544cdf34cf930ff66935daf414
                                          • Opcode Fuzzy Hash: d8aa7635fef7005ac0be90b9b58ac98b9f8cab773c0eee663ca92a3789595657
                                          • Instruction Fuzzy Hash: 49213C34700215CFDB54EB78D998BAE77F1EF89305B508468E50AEB3A0DB359D02DB90
                                          Function 00F4D030 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3306658809.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_f4d000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cac05347e92a65ac8538565329baf26a68352b0d4e001541c8418faf276e4fed
                                          • Instruction ID: 6b749181e5c18f59bfd92df140c25cd25a518ba70c2d0f7fd93459e7c4193926
                                          • Opcode Fuzzy Hash: cac05347e92a65ac8538565329baf26a68352b0d4e001541c8418faf276e4fed
                                          • Instruction Fuzzy Hash: 93213772504204DFDB14DF18D9C0B26BFA1FB84324F20C56DDD0A0B25AC376D847DA62
                                          Function 029D1382 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3ed94d254de1ca73749704ca62c98aa9c6168c6825871172af41252ab7523d5f
                                          • Instruction ID: fac53c885046dd0d3a8a44e21bd3feed561d2b6e8aba9a2980599032dc10aba1
                                          • Opcode Fuzzy Hash: 3ed94d254de1ca73749704ca62c98aa9c6168c6825871172af41252ab7523d5f
                                          • Instruction Fuzzy Hash: F621AE75A002408FEF355628E88432D7B29EB03325F104969E40ECB2C5DB69E887A792
                                          Function 029D1878 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 01f48320b1534e7c64130b9042e27dedf35fa2fcfac8a4abcc1299c83df72e30
                                          • Instruction ID: 3268e84e9f6b97180b592a4b192dec76a5335ad774555fbef19627d6f456d222
                                          • Opcode Fuzzy Hash: 01f48320b1534e7c64130b9042e27dedf35fa2fcfac8a4abcc1299c83df72e30
                                          • Instruction Fuzzy Hash: B0217832B00205CFEF68EB78D555BAE77F6AF89344F104468C10AEB2A0DB358D41EB61
                                          Function 00F4D005 Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3306658809.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_f4d000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1317a86395a0eee68d57172c2b75ae0002c43cffaf3dbddfea6f45fcf802c287
                                          • Instruction ID: 38d605cfaea219d2a33b13a2dc7fcd3ef4459a4cb5f533198b9de39a6e991a6f
                                          • Opcode Fuzzy Hash: 1317a86395a0eee68d57172c2b75ae0002c43cffaf3dbddfea6f45fcf802c287
                                          • Instruction Fuzzy Hash: 8D215C7150D3C09FC713CB24D990711BF71AB46224F29C5EBD8898F2A7C23A980ACB62
                                          Function 029D9160 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 44d704f209cda46f55d2e498f8b65e0e28b432f2d03aa8821ef3cf771b61307d
                                          • Instruction ID: 844ca80fa87c78895d00b087c3982898cb4c790e4b4e84843d58779b1d4340cd
                                          • Opcode Fuzzy Hash: 44d704f209cda46f55d2e498f8b65e0e28b432f2d03aa8821ef3cf771b61307d
                                          • Instruction Fuzzy Hash: 10218434E0021ADBDB18DFA5D8546DEF7B6AF89314F10C61AE916F7340DB70A945CB50
                                          Function 029D1888 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c15dc0b0f80a5e7207e6c0598b8fe0648b9de917112cd016332ae2e8314ec39c
                                          • Instruction ID: 93a390f31e2d6e8d2cdf4f6afb776fb3c0bb06e39e41f8484a0a715a0f83e493
                                          • Opcode Fuzzy Hash: c15dc0b0f80a5e7207e6c0598b8fe0648b9de917112cd016332ae2e8314ec39c
                                          • Instruction Fuzzy Hash: 6F218935B00208CFDB28EB78D5547AE77F6AB89244F104468C10AEB394DF368D01DBA1
                                          Function 029D16B0 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8555e2dd6d317ac3bc03e2ec358272449c85c7743e418df526c68fe90f527fc
                                          • Instruction ID: 432cae2fff833f652b589bef4112af198050d4e59a59107b63ecd761c5291359
                                          • Opcode Fuzzy Hash: b8555e2dd6d317ac3bc03e2ec358272449c85c7743e418df526c68fe90f527fc
                                          • Instruction Fuzzy Hash: 6A2172396001018FEF25E72CE984B29376AEB86314F509929E10ED72A9DF7CD8438BD1
                                          Function 029D4F98 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db77ddb2bb8176645743376faa80f9d2c4b77d77344e85b49f81a28623569893
                                          • Instruction ID: 99668d0ee499fe27d3ce2fd525c7cf9280d395ed0595120fa4e128ccb99c4161
                                          • Opcode Fuzzy Hash: db77ddb2bb8176645743376faa80f9d2c4b77d77344e85b49f81a28623569893
                                          • Instruction Fuzzy Hash: 5B21F834700209CFDB54EB78D958BAE77F6EF89305B508468E50AEB3A0DB359D01DB91
                                          Function 029D0848 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77f1750b73d64785f5fb7c0f9ed965f0c3fd2f35d50f22aa078175dc1dd3c78a
                                          • Instruction ID: 565dc7fd14a61ea16ba934ff7949eb99cf8d827bd0bebdd98009e9e3e19d20dc
                                          • Opcode Fuzzy Hash: 77f1750b73d64785f5fb7c0f9ed965f0c3fd2f35d50f22aa078175dc1dd3c78a
                                          • Instruction Fuzzy Hash: 18118F30B402098FEF24AB79C54473A3659EB86714F208829D106CF295DB66CC82ABD1
                                          Function 029D0838 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d3d10d3d38e2ed5116a23a4412ba090302cb6abb49f812a5eb7ec6f71b5eb9f
                                          • Instruction ID: f8816787424fcfa35f15c6a0b764416939936636ade4097d77419abee1b55b05
                                          • Opcode Fuzzy Hash: 9d3d10d3d38e2ed5116a23a4412ba090302cb6abb49f812a5eb7ec6f71b5eb9f
                                          • Instruction Fuzzy Hash: 6B110635B403088FEF255679C44037E3B59EB82314F10C939D006CF286DB66C842ABC2
                                          Function 029D17C8 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4cef010cc3d31779559e610587758bfdaa4d1937097560e40300192877b284ce
                                          • Instruction ID: cb8648fbff5504a20d8aaa120f2574e4312192a6bbdf4d2a98b9644a52e2d3ec
                                          • Opcode Fuzzy Hash: 4cef010cc3d31779559e610587758bfdaa4d1937097560e40300192877b284ce
                                          • Instruction Fuzzy Hash: 6C118E76F422519FDB50ABB8A84876E7BB5EB88350B104825E90AD3304EB38C9538B84
                                          Function 029D1498 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b29d57b73c5a1d8100bcfaa3ca74f38acce9e922da8123b0779b3d90058b713
                                          • Instruction ID: 8030a827ddb2c9d2453ee411aaceb32f6afe16d199bcc0c850abfdc6ae07fd9e
                                          • Opcode Fuzzy Hash: 0b29d57b73c5a1d8100bcfaa3ca74f38acce9e922da8123b0779b3d90058b713
                                          • Instruction Fuzzy Hash: E6014032A002159FCB25EFB985502AE7BFAEB88314F24847AD809E7301E735D981DB91
                                          Function 029D9888 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ce06cca5494e1d46fe83b07ac6085c12a3b66f9ba207c0a62d864314d9dae8c8
                                          • Instruction ID: f866120568607c9c5578306c3afdf1aeb7a41779e4cd355cc22c7582ddb4e850
                                          • Opcode Fuzzy Hash: ce06cca5494e1d46fe83b07ac6085c12a3b66f9ba207c0a62d864314d9dae8c8
                                          • Instruction Fuzzy Hash: 8D01B531A002048BDB14EF55DD4478ABB65FF84310F54C168D90C6B29AEBB4AA45CBA1
                                          Function 029D80F1 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 744dd747d22e26318ecdfc08075942127b8c5fc8414bc315bc310b3799039416
                                          • Instruction ID: b5e2d95cae10359b93d2a2a7a048dab22bd196195daff79b1489f57a1baa6212
                                          • Opcode Fuzzy Hash: 744dd747d22e26318ecdfc08075942127b8c5fc8414bc315bc310b3799039416
                                          • Instruction Fuzzy Hash: 01018F70A0114ADFEB09FBA8F98169C7BB1EF91304F1051ADC108AB166EF741A069B41
                                          Function 029D1524 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 48778a4997657944ee9b77440a54a2170b6e059014bcd3f7742e2445e4dd069d
                                          • Instruction ID: 73f0a3fdac963d2a709ac29ce4fecb4fb1d8e8a3d31f030b2de6eefb9b7a60c4
                                          • Opcode Fuzzy Hash: 48778a4997657944ee9b77440a54a2170b6e059014bcd3f7742e2445e4dd069d
                                          • Instruction Fuzzy Hash: DDF02B37E04150CFC7128BE894901AC7B75EE95311B1980E7C40EDB311D739E442EB11
                                          Function 029D7090 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 02cb38c2bea39d7a3eb63330ff5b924f91a47c2ca9d2845b530bee4607dc7276
                                          • Instruction ID: 59c46fdb02c2cd8e6b88215fda8f4467d7519ccf56d8fcf1ad062268a388396a
                                          • Opcode Fuzzy Hash: 02cb38c2bea39d7a3eb63330ff5b924f91a47c2ca9d2845b530bee4607dc7276
                                          • Instruction Fuzzy Hash: 6DF0B235B402088FC714DBA8D598A6C77B2EF89315F5044A8E5069B3A4CF35AD53CF40
                                          Function 029D8100 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.3307190281.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_29d0000_RegSvcs.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f1384ca53ce76c04df61002ea14eddf6a5136518f6197c430ee1c576492f1ead
                                          • Instruction ID: 5974fe8dcfeba104a535bda23a098a920ce464d89a4e0a09903fa98e2871b020
                                          • Opcode Fuzzy Hash: f1384ca53ce76c04df61002ea14eddf6a5136518f6197c430ee1c576492f1ead
                                          • Instruction Fuzzy Hash: A2F03C34A0014ADFDB09FFACF9816AD7BB1EF80300F50566DC108AB295EE796E059B91