Edit tour

Windows Analysis Report
41570002689_20220814_05352297_HesapOzeti.exe

Overview

General Information

Sample name:	41570002689_20220814_05352297_HesapOzeti.exe
Analysis ID:	1573518
MD5:	6127b0ab2faae8792be092ef96f1d8cf
SHA1:	674852f4463b50ecb17d7f720cc165773c6ce3f8
SHA256:	b996d0418d6d8ac7d8f9ce4d09d0eb1f0fd1b30d733499742a41a9c6930521b4
Tags:	exegeoMassLoggerTURuser-abuse_ch
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

41570002689_20220814_05352297_HesapOzeti.exe (PID: 1492 cmdline: "C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe" MD5: 6127B0AB2FAAE8792BE092EF96F1D8CF)

juvenile.exe (PID: 6552 cmdline: "C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe" MD5: 6127B0AB2FAAE8792BE092EF96F1D8CF)

RegSvcs.exe (PID: 4328 cmdline: "C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 1944 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

juvenile.exe (PID: 4196 cmdline: "C:\Users\user\AppData\Local\nonplacental\juvenile.exe" MD5: 6127B0AB2FAAE8792BE092EF96F1D8CF)

RegSvcs.exe (PID: 6104 cmdline: "C:\Users\user\AppData\Local\nonplacental\juvenile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data 0x13957:$a4: \Orbitum\User Data\Default\Login Data 0x1474f:$a5: \Kometa\User Data\Default\Login Data
00000009.00000002.3376008303.0000000002846000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data 0x13957:$a4: \Orbitum\User Data\Default\Login Data 0x1474f:$a5: \Kometa\User Data\Default\Login Data
00000003.00000002.3376122410.0000000002F86000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefa7:$a1: get_encryptedPassword 0xf2cf:$a2: get_encryptedUsername 0xed42:$a3: get_timePasswordChanged 0xee63:$a4: get_passwordField 0xefbd:$a5: set_encryptedPassword 0x10919:$a7: get_logins 0x105ca:$a8: GetOutlookPasswords 0x103bc:$a9: StartKeylogger 0x10869:$a10: KeyLoggerEventArgs 0x10419:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: juvenile.exe PID: 6552	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: juvenile.exe PID: 6552	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: juvenile.exe PID: 6552	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: juvenile.exe PID: 6552	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x612899:$a1: get_encryptedPassword 0x612bb2:$a2: get_encryptedUsername 0x612648:$a3: get_timePasswordChanged 0x612769:$a4: get_passwordField 0x6128af:$a5: set_encryptedPassword 0x6141b2:$a7: get_logins 0x613e63:$a8: GetOutlookPasswords 0x613c55:$a9: StartKeylogger 0x614102:$a10: KeyLoggerEventArgs 0x613cb2:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 4328	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 4328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4328	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 4328	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x461ab:$a1: get_encryptedPassword 0x464c4:$a2: get_encryptedUsername 0x45f5a:$a3: get_timePasswordChanged 0x4607b:$a4: get_passwordField 0x461c1:$a5: set_encryptedPassword 0x47ac4:$a7: get_logins 0x47775:$a8: GetOutlookPasswords 0x47567:$a9: StartKeylogger 0x47a14:$a10: KeyLoggerEventArgs 0x475c4:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: juvenile.exe PID: 4196	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: juvenile.exe PID: 4196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: juvenile.exe PID: 4196	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: juvenile.exe PID: 4196	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x53fbd4:$a1: get_encryptedPassword 0x53feed:$a2: get_encryptedUsername 0x53f983:$a3: get_timePasswordChanged 0x53faa4:$a4: get_passwordField 0x53fbea:$a5: set_encryptedPassword 0x5414ed:$a7: get_logins 0x54119e:$a8: GetOutlookPasswords 0x540f90:$a9: StartKeylogger 0x54143d:$a10: KeyLoggerEventArgs 0x540fed:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6104	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.juvenile.exe.510000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.juvenile.exe.510000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.juvenile.exe.510000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.juvenile.exe.510000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
2.2.juvenile.exe.510000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data 0x13957:$a4: \Orbitum\User Data\Default\Login Data 0x1474f:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
3.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data 0x13957:$a4: \Orbitum\User Data\Default\Login Data 0x1474f:$a5: \Kometa\User Data\Default\Login Data
6.2.juvenile.exe.1390000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
6.2.juvenile.exe.1390000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.juvenile.exe.1390000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.juvenile.exe.1390000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
6.2.juvenile.exe.1390000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data 0x13957:$a4: \Orbitum\User Data\Default\Login Data 0x1474f:$a5: \Kometa\User Data\Default\Login Data
2.2.juvenile.exe.510000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.juvenile.exe.510000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.juvenile.exe.510000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.juvenile.exe.510000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
2.2.juvenile.exe.510000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
6.2.juvenile.exe.1390000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
6.2.juvenile.exe.1390000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.juvenile.exe.1390000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.juvenile.exe.1390000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
6.2.juvenile.exe.1390000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , ProcessId: 1944, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , ProcessId: 1944, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\nonplacental\juvenile.exe, ProcessId: 6552, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T07:54:08.418914+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49709	132.226.8.169	80	TCP
2024-12-12T07:54:23.184179+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49748	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.juvenile.exe.510000.1.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Virustotal: Detection: 23%			Perma Link

Multi AV Scanner detection for submitted file

Source: 41570002689_20220814_05352297_HesapOzeti.exe	Virustotal: Detection: 23%			Perma Link
Source: 41570002689_20220814_05352297_HesapOzeti.exe	ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 41570002689_20220814_05352297_HesapOzeti.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 41570002689_20220814_05352297_HesapOzeti.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49754 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: juvenile.exe, 00000002.00000003.2180286308.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000002.00000003.2183404127.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.2337384791.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.2337237803.0000000003C60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: juvenile.exe, 00000002.00000003.2180286308.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000002.00000003.2183404127.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.2337384791.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.2337237803.0000000003C60000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0053445A
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053C6D1 FindFirstFileW,FindClose,	0_2_0053C6D1
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0053C75C
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0053EF95
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0053F0F2
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0053F3F3
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_005337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005337EF
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_00533B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00533B12
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0053BCBC
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0042445A
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042C6D1 FindFirstFileW,FindClose,	2_2_0042C6D1
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0042C75C
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0042EF95
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0042F0F2
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0042F3F3
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_004237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_004237EF
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00423B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00423B12
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0042BCBC

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01489731h	3_2_01489480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01489E5Ah	3_2_01489A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01489E5Ah	3_2_01489A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01489E5Ah	3_2_01489D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 024A9731h	9_2_024A9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 024A9E5Ah	9_2_024A9A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 024A9E5Ah	9_2_024A9A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 024A9E5Ah	9_2_024A9D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D05E15h	9_2_04D05AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D0F700h	9_2_04D0F458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D076D0h	9_2_04D07428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D08830h	9_2_04D08588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D047C9h	9_2_04D04520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D05929h	9_2_04D05680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D0E9F8h	9_2_04D0E750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D0F2A8h	9_2_04D0F000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D083D8h	9_2_04D08130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D0E5A0h	9_2_04D0E2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D054D1h	9_2_04D05228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D07F80h	9_2_04D07CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D05079h	9_2_04D04DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D07278h	9_2_04D06FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D07B28h	9_2_04D07880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D0FB58h	9_2_04D0F8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D04C21h	9_2_04D04978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04D0EE50h	9_2_04D0EBA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C62B5h	9_2_052C60D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C6C3Fh	9_2_052C60D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C3840h	9_2_052C3598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C18A0h	9_2_052C15F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C26E0h	9_2_052C2438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C0740h	9_2_052C0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C49A0h	9_2_052C46F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C33E8h	9_2_052C3140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C1448h	9_2_052C11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_052C51E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C02E8h	9_2_052C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov esp, ebp	9_2_052C93F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C4548h	9_2_052C42A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C0FF0h	9_2_052C0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C2F90h	9_2_052C2CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C40F0h	9_2_052C3E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C2152h	9_2_052C1EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_052C59FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C3C98h	9_2_052C39F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_052C581B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C2B38h	9_2_052C2890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C0B98h	9_2_052C08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C4DF8h	9_2_052C4B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 052C1CF8h	9_2_052C1A50

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49748 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49709 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49754 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_005422EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_005422EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.000000000275E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002E83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376122410.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: juvenile.exe, 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, juvenile.exe, 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.000000000278D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.000000000278D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002E83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: juvenile.exe, 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, juvenile.exe, 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: juvenile.exe, 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, juvenile.exe, 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175d
Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.juvenile.exe.510000.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 6.2.juvenile.exe.1390000.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_00544164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00544164

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_00544164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00544164
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00434164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00434164

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_00543F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00543F66

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_0053001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0053001C

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0055CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0055CABC
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0044CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0044CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.juvenile.exe.510000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.juvenile.exe.510000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.juvenile.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.juvenile.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.juvenile.exe.510000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.juvenile.exe.510000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.juvenile.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.juvenile.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: juvenile.exe PID: 6552, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4328, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: juvenile.exe PID: 4196, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: This is a third-party compiled AutoIt script.	0_2_004D3B3A
Source: 41570002689_20220814_05352297_HesapOzeti.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 41570002689_20220814_05352297_HesapOzeti.exe, 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fd5567ef-0
Source: 41570002689_20220814_05352297_HesapOzeti.exe, 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_7e167ba9-d
Source: 41570002689_20220814_05352297_HesapOzeti.exe, 00000000.00000003.2145610729.0000000004183000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_442950e1-1
Source: 41570002689_20220814_05352297_HesapOzeti.exe, 00000000.00000003.2145610729.0000000004183000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_98f4219b-8
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: This is a third-party compiled AutoIt script.	2_2_003C3B3A
Source: juvenile.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: juvenile.exe, 00000002.00000000.2146021752.0000000000474000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_83ae2c76-b
Source: juvenile.exe, 00000002.00000000.2146021752.0000000000474000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_8deb7a36-4
Source: juvenile.exe, 00000006.00000000.2289830894.0000000000474000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_582425c7-f
Source: juvenile.exe, 00000006.00000000.2289830894.0000000000474000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_65b19894-b
Source: 41570002689_20220814_05352297_HesapOzeti.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_51cfd39f-a
Source: 41570002689_20220814_05352297_HesapOzeti.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_86d27779-8
Source: juvenile.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3293b81f-4
Source: juvenile.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_7ccc0a69-9

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_0053A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0053A1EF

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_00528310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00528310

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_005351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_005351BD
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_004251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_004251BD

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004DE6A0	0_2_004DE6A0
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004FD975	0_2_004FD975
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004DFCE0	0_2_004DFCE0
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004F21C5	0_2_004F21C5
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_005062D2	0_2_005062D2
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_005503DA	0_2_005503DA
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0050242E	0_2_0050242E
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004F25FA	0_2_004F25FA
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0052E616	0_2_0052E616
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004E66E1	0_2_004E66E1
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0050878F	0_2_0050878F
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_00550857	0_2_00550857
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_00506844	0_2_00506844
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004E8808	0_2_004E8808
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_00538889	0_2_00538889
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004FCB21	0_2_004FCB21
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_00506DB6	0_2_00506DB6
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004E6F9E	0_2_004E6F9E
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004E3030	0_2_004E3030
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004FF1D9	0_2_004FF1D9
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004F3187	0_2_004F3187
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004D1287	0_2_004D1287
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004F1484	0_2_004F1484
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004E5520	0_2_004E5520
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004F7696	0_2_004F7696
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004E5760	0_2_004E5760
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004F1978	0_2_004F1978
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_00509AB5	0_2_00509AB5
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_00557DDB	0_2_00557DDB
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004F1D90	0_2_004F1D90
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004FBDA6	0_2_004FBDA6
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004DDF00	0_2_004DDF00
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004E3FE0	0_2_004E3FE0
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_017EE6B8	0_2_017EE6B8
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003CE6A0	2_2_003CE6A0
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003ED975	2_2_003ED975
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003CFCE0	2_2_003CFCE0
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003E21C5	2_2_003E21C5
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003F62D2	2_2_003F62D2
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_004403DA	2_2_004403DA
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003F242E	2_2_003F242E
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003E25FA	2_2_003E25FA
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0041E616	2_2_0041E616
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003D66E1	2_2_003D66E1
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003F878F	2_2_003F878F
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00440857	2_2_00440857
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003D8808	2_2_003D8808
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003F6844	2_2_003F6844
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00428889	2_2_00428889
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003ECB21	2_2_003ECB21
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003F6DB6	2_2_003F6DB6
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003D6F9E	2_2_003D6F9E
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003D3030	2_2_003D3030
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003E3187	2_2_003E3187
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003EF1D9	2_2_003EF1D9
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003C1287	2_2_003C1287
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003E1484	2_2_003E1484
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003D5520	2_2_003D5520
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003E7696	2_2_003E7696
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003D5760	2_2_003D5760
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003E1978	2_2_003E1978
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003F9AB5	2_2_003F9AB5
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003EBDA6	2_2_003EBDA6
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00447DDB	2_2_00447DDB
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003E1D90	2_2_003E1D90
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003CDF00	2_2_003CDF00
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003D3FE0	2_2_003D3FE0
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00E2BA98	2_2_00E2BA98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0148C530	3_2_0148C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01489480	3_2_01489480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01481A4B	3_2_01481A4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0148C521	3_2_0148C521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01482DD1	3_2_01482DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0148946F	3_2_0148946F
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 6_2_015EBB38	6_2_015EBB38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_024AC530	9_2_024AC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_024A2DD1	9_2_024A2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_024A9480	9_2_024A9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_024A19B8	9_2_024A19B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_024AC521	9_2_024AC521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_024A946F	9_2_024A946F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D01400	9_2_04D01400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0B678	9_2_04D0B678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D06138	9_2_04D06138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0BC60	9_2_04D0BC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0AF00	9_2_04D0AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D089E0	9_2_04D089E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D05AD8	9_2_04D05AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D00AB8	9_2_04D00AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0F458	9_2_04D0F458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0F44F	9_2_04D0F44F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D07423	9_2_04D07423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D07428	9_2_04D07428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D08583	9_2_04D08583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D08588	9_2_04D08588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0451B	9_2_04D0451B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D04520	9_2_04D04520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D05680	9_2_04D05680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0E750	9_2_04D0E750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0E743	9_2_04D0E743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0F000	9_2_04D0F000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0602A	9_2_04D0602A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D08130	9_2_04D08130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D08123	9_2_04D08123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0E2F8	9_2_04D0E2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0E2EB	9_2_04D0E2EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D05228	9_2_04D05228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D013FB	9_2_04D013FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D00330	9_2_04D00330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0032B	9_2_04D0032B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D00CD3	9_2_04D00CD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D07CD3	9_2_04D07CD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D00CD8	9_2_04D00CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D07CD8	9_2_04D07CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D04DD0	9_2_04D04DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D04DCB	9_2_04D04DCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D06FD0	9_2_04D06FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D06FCD	9_2_04D06FCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0EFF7	9_2_04D0EFF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D07880	9_2_04D07880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0F8B0	9_2_04D0F8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0F8A4	9_2_04D0F8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0787B	9_2_04D0787B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D04978	9_2_04D04978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0496F	9_2_04D0496F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D03BC3	9_2_04D03BC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0EB9F	9_2_04D0EB9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0EBA8	9_2_04D0EBA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C9118	9_2_052C9118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C8030	9_2_052C8030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C60D8	9_2_052C60D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C7390	9_2_052C7390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C6D48	9_2_052C6D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C79E0	9_2_052C79E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C358B	9_2_052C358B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C3598	9_2_052C3598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C15EB	9_2_052C15EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C15F8	9_2_052C15F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C2427	9_2_052C2427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C2438	9_2_052C2438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C048F	9_2_052C048F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C0498	9_2_052C0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C8668	9_2_052C8668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C8678	9_2_052C8678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C46ED	9_2_052C46ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C46F8	9_2_052C46F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C3133	9_2_052C3133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C9108	9_2_052C9108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C3140	9_2_052C3140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C11A0	9_2_052C11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C1195	9_2_052C1195
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C51E8	9_2_052C51E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C51DF	9_2_052C51DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C8024	9_2_052C8024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C0037	9_2_052C0037
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C0040	9_2_052C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C60CF	9_2_052C60CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C7380	9_2_052C7380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C42A0	9_2_052C42A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C4290	9_2_052C4290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C0D3F	9_2_052C0D3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C6D37	9_2_052C6D37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C0D48	9_2_052C0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C2CE8	9_2_052C2CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C2CDB	9_2_052C2CDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C3E39	9_2_052C3E39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C3E48	9_2_052C3E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C1EA8	9_2_052C1EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C1E9B	9_2_052C1E9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C39E1	9_2_052C39E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C39F0	9_2_052C39F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C79D0	9_2_052C79D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C2880	9_2_052C2880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C2890	9_2_052C2890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C08E7	9_2_052C08E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C08F0	9_2_052C08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C4B41	9_2_052C4B41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C4B50	9_2_052C4B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C1A40	9_2_052C1A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_052C1A50	9_2_052C1A50

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: String function: 004D7DE1 appears 36 times
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: String function: 004F8900 appears 42 times
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: String function: 004F0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: String function: 003E8900 appears 42 times
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: String function: 003E0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: String function: 003C7DE1 appears 36 times

Source: 41570002689_20220814_05352297_HesapOzeti.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.juvenile.exe.510000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.juvenile.exe.510000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.juvenile.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.juvenile.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.juvenile.exe.510000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.juvenile.exe.510000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.juvenile.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.juvenile.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: juvenile.exe PID: 6552, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 4328, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: juvenile.exe PID: 4196, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 2.2.juvenile.exe.510000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.juvenile.exe.510000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.juvenile.exe.1390000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.juvenile.exe.1390000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@2/2

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_0053A06A GetLastError,FormatMessageW,

0_2_0053A06A

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_005281CB AdjustTokenPrivileges,CloseHandle,	0_2_005281CB
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_005287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_005287E1
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_004181CB AdjustTokenPrivileges,CloseHandle,	2_2_004181CB
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_004187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_004187E1

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_0053B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0053B333

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_0054EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0054EE0D

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_0053C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0053C397

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_004D4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004D4E89

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

File created: C:\Users\user\AppData\Local\nonplacental

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

File created: C:\Users\user\AppData\Local\Temp\autE8C2.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs"

Source: 41570002689_20220814_05352297_HesapOzeti.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.3376122410.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376122410.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376122410.0000000002F4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376122410.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376122410.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.00000000027EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.00000000027E0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.00000000027D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.000000000280F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002803000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376785470.000000000371D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 41570002689_20220814_05352297_HesapOzeti.exe	Virustotal: Detection: 23%
Source: 41570002689_20220814_05352297_HesapOzeti.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

File read: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe "C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe"
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Process created: C:\Users\user\AppData\Local\nonplacental\juvenile.exe "C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe"
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\nonplacental\juvenile.exe "C:\Users\user\AppData\Local\nonplacental\juvenile.exe"
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\nonplacental\juvenile.exe"
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Process created: C:\Users\user\AppData\Local\nonplacental\juvenile.exe "C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\nonplacental\juvenile.exe "C:\Users\user\AppData\Local\nonplacental\juvenile.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\nonplacental\juvenile.exe"	Jump to behavior

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 41570002689_20220814_05352297_HesapOzeti.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 41570002689_20220814_05352297_HesapOzeti.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 41570002689_20220814_05352297_HesapOzeti.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 41570002689_20220814_05352297_HesapOzeti.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 41570002689_20220814_05352297_HesapOzeti.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 41570002689_20220814_05352297_HesapOzeti.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 41570002689_20220814_05352297_HesapOzeti.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: juvenile.exe, 00000002.00000003.2180286308.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000002.00000003.2183404127.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.2337384791.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.2337237803.0000000003C60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: juvenile.exe, 00000002.00000003.2180286308.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000002.00000003.2183404127.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.2337384791.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000006.00000003.2337237803.0000000003C60000.00000004.00001000.00020000.00000000.sdmp

Source: 41570002689_20220814_05352297_HesapOzeti.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 41570002689_20220814_05352297_HesapOzeti.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 41570002689_20220814_05352297_HesapOzeti.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 41570002689_20220814_05352297_HesapOzeti.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 41570002689_20220814_05352297_HesapOzeti.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_004D4B37 LoadLibraryA,GetProcAddress,

0_2_004D4B37

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004DC4C6 push A3004DBAh; retn 004Dh	0_2_004DC50D
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004F8945 push ecx; ret	0_2_004F8958
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003E8945 push ecx; ret	2_2_003E8958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_024AA640 push ds; iretd	9_2_024AA6CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_024AA633 push ds; iretd	9_2_024AA63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_024AA5A0 push ds; iretd	9_2_024AA632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_024A9249 push cs; iretd	9_2_024A924A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0AAE0 push ss; retn 0005h	9_2_04D0AD22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0A3D8 push cs; retn 0005h	9_2_04D0A3DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D013F3 push edx; iretd	9_2_04D013F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D013F7 push edx; iretd	9_2_04D013FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D01367 push eax; iretd	9_2_04D0139A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_04D0AD81 push ss; retn 0005h	9_2_04D0AD82

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

File created: C:\Users\user\AppData\Local\nonplacental\juvenile.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Jump to behavior

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_004D48D7
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_00555376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00555376
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_003C48D7
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00445376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00445376

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_004F3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004F3187

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	API/Special instruction interceptor: Address: E2B6BC
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	API/Special instruction interceptor: Address: 15EB75C

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	API coverage: 4.6 %
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	API coverage: 4.8 %

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0053445A
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053C6D1 FindFirstFileW,FindClose,	0_2_0053C6D1
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0053C75C
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0053EF95
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0053F0F2
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0053F3F3
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_005337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005337EF
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_00533B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00533B12
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_0053BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0053BCBC
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0042445A
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042C6D1 FindFirstFileW,FindClose,	2_2_0042C6D1
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0042C75C
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0042EF95
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0042F0F2
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0042F3F3
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_004237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_004237EF
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00423B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00423B12
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_0042BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0042BCBC

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_004D49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004D49A0

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.3375025469.0000000001239000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3374975822.0000000000913000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_04D00AB8 LdrInitializeThunk,LdrInitializeThunk,

9_2_04D00AB8

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_00543F09 BlockInput,

0_2_00543F09

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_004D3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_004D3B3A

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_00505A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00505A7C

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_004D4B37 LoadLibraryA,GetProcAddress,

0_2_004D4B37

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_017EE548 mov eax, dword ptr fs:[00000030h]	0_2_017EE548
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_017EE5A8 mov eax, dword ptr fs:[00000030h]	0_2_017EE5A8
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_017ECEF8 mov eax, dword ptr fs:[00000030h]	0_2_017ECEF8
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00E2A2D8 mov eax, dword ptr fs:[00000030h]	2_2_00E2A2D8
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00E2B988 mov eax, dword ptr fs:[00000030h]	2_2_00E2B988
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00E2B928 mov eax, dword ptr fs:[00000030h]	2_2_00E2B928
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 6_2_015EB9C8 mov eax, dword ptr fs:[00000030h]	6_2_015EB9C8
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 6_2_015EA378 mov eax, dword ptr fs:[00000030h]	6_2_015EA378
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 6_2_015EBA28 mov eax, dword ptr fs:[00000030h]	6_2_015EBA28

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_005280A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_005280A9

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004FA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004FA155
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_004FA124 SetUnhandledExceptionFilter,	0_2_004FA124
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003EA124 SetUnhandledExceptionFilter,	2_2_003EA124
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_003EA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_003EA155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 2.2.juvenile.exe.510000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 2.2.juvenile.exe.510000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 2.2.juvenile.exe.510000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D82008			Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 480008			Jump to behavior

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_005287B1 LogonUserW,

0_2_005287B1

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_004D3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_004D3B3A

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_004D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004D48D7

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_00534C53 mouse_event,

0_2_00534C53

Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\nonplacental\juvenile.exe "C:\Users\user\AppData\Local\nonplacental\juvenile.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\nonplacental\juvenile.exe"	Jump to behavior

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_00527CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00527CAF

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_0052874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0052874B

Source: 41570002689_20220814_05352297_HesapOzeti.exe, juvenile.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 41570002689_20220814_05352297_HesapOzeti.exe, juvenile.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_004F862B cpuid

0_2_004F862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_00504E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00504E87

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_00511E06 GetUserNameW,

0_2_00511E06

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_00503F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00503F3A

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Code function: 0_2_004D49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004D49A0

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.juvenile.exe.510000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.juvenile.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.juvenile.exe.510000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.juvenile.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: juvenile.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: juvenile.exe PID: 4196, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.juvenile.exe.510000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.juvenile.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.juvenile.exe.510000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.juvenile.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: juvenile.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: juvenile.exe PID: 4196, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: juvenile.exe	Binary or memory string: WIN_81
Source: juvenile.exe	Binary or memory string: WIN_XP
Source: juvenile.exe	Binary or memory string: WIN_XPe
Source: juvenile.exe	Binary or memory string: WIN_VISTA
Source: juvenile.exe	Binary or memory string: WIN_7
Source: juvenile.exe	Binary or memory string: WIN_8
Source: juvenile.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.juvenile.exe.510000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.juvenile.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.juvenile.exe.510000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.juvenile.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3376008303.0000000002846000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3376122410.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: juvenile.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: juvenile.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6104, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.juvenile.exe.510000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.juvenile.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.juvenile.exe.510000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.juvenile.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: juvenile.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: juvenile.exe PID: 4196, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.juvenile.exe.510000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.juvenile.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.juvenile.exe.510000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.juvenile.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: juvenile.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: juvenile.exe PID: 4196, type: MEMORYSTR

Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_00546283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00546283
Source: C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe	Code function: 0_2_00546747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00546747
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00436283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00436283
Source: C:\Users\user\AppData\Local\nonplacental\juvenile.exe	Code function: 2_2_00436747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00436747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	12 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	121 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
41570002689_20220814_05352297_HesapOzeti.exe	24%	Virustotal		Browse
41570002689_20220814_05352297_HesapOzeti.exe	26%	ReversingLabs	Win32.Trojan.AutoitInject
41570002689_20220814_05352297_HesapOzeti.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\nonplacental\juvenile.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\nonplacental\juvenile.exe	26%	ReversingLabs	Win32.Trojan.AutoitInject
C:\Users\user\AppData\Local\nonplacental\juvenile.exe	24%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.175	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.175d	RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	juvenile.exe, 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, juvenile.exe, 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000003.00000002.3376122410.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.000000000278D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.3376122410.0000000002ECD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.000000000278D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.3376122410.0000000002E9E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.000000000275E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.3376122410.0000000002E83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.175l	RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	juvenile.exe, 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, juvenile.exe, 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	juvenile.exe, 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3376122410.0000000002EB0000.00000004.00000800.00020000.00000000.sdmp, juvenile.exe, 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3376008303.0000000002770000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.67.152	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573518
Start date and time:	2024-12-12 07:53:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	41570002689_20220814_05352297_HesapOzeti.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 280
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 4328 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:54:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Price Quotation-01.dqy.dll	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FATR98765678000.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
104.21.67.152	malware.ps1	Get hash	malicious	MassLogger RAT	Browse
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Bank Swift and SOA PRN0072700314159453_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Price Quotation-01.dqy.dll	Get hash	malicious	Snake Keylogger	Browse
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	file.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	188.114.97.6
checkip.dyndns.com	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Confirm revised invoice to proceed with payment ASAP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	Malzeme #U0130stek Formu_12102024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Strait STS.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.216.143
	Captcha.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	172.67.206.64
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	https://analytics-prd.aws.wehaa.net/trackings?value=1&action=click&category=external&origin=detailpage&url=http://notifix.info/scales/ec49f59be146f69f3ea00c211d5cccd90524b2cf7f8aec665534fc020c910734b9e18d0945bd518a0e55b407c5bf7443cf6179/paige_williams@newyorker.com&cat=firstpage&label_item_id=9633&label_owner_id=646&label_url=http://notifix.info/scales/ec49f59be146f69f3ea00c211d5cccd90524b2cf7f8aec665534fc020c910734b9e18d0945bd518a0e55b407c5bf7443cf6179/paige_williams@newyorker.com&idle=8d15bf95831b32126e4b3bd02a20cf592eade0e3442422aeaf0db14b2e91ae186a5549c468519863594ece59910ee541&tenant=minnesotastate.jobs	Get hash	malicious	Captcha Phish	Browse	104.21.80.1
	https://analytics-prd.aws.wehaa.net/trackings?value=1&action=click&category=external&origin=detailpage&url=http://notifix.info/scales/0af634fca2eaf3a11c0597691f5616c7d16f5580d650d17201024b374ebe92a8e0c492c822b6be6f4332bb93acc2ba02298f78/christa_sgobba@condenast.com&cat=firstpage&label_item_id=9633&label_owner_id=646&label_url=http://notifix.info/scales/0af634fca2eaf3a11c0597691f5616c7d16f5580d650d17201024b374ebe92a8e0c492c822b6be6f4332bb93acc2ba02298f78/christa_sgobba@condenast.com&idle=8d15bf95831b32126e4b3bd02a20cf592eade0e3442422aeaf0db14b2e91ae186a5549c468519863594ece59910ee541&tenant=minnesotastate.jobs	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	172.67.157.142
	REMITTANCE_10023Tdcj.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	phish_alert_iocp_v1.4.48 - 2024-12-11T151927.331.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	172.67.176.240
	jew.ppc.elf	Get hash	malicious	Unknown	Browse	104.16.155.85
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
UTMEMUS	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Price Quotation-01.dqy.dll	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	peks66Iy06.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	XXHYneydvF.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Itaxyhi.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.67.152

Process:	C:\Users\user\AppData\Local\nonplacental\juvenile.exe
File Type:	data
Category:	dropped
Size (bytes):	66084
Entropy (8bit):	7.924862087295859
Encrypted:	false
SSDEEP:	1536:bn2bMhIkGzFjmQl+nX1UVZuUpkYBa6584aBVCsJ:sBZFm1UTmYJ5DaBV/J
MD5:	4F8EA62DE975735719994477DF223810
SHA1:	A25AB87F59D1C868F434A64E9ED890719B325806
SHA-256:	D73F1CAC5DE36CE87B953C0C0917CE2F9BE5B4E6DB92DC25C173D23A5B1CFE37
SHA-512:	10B5D652475036E185CA5168E98DFBBECB0DE7238DD81755BFA26ED4951350691BEEA52496FD133325F646D5CF63B34BAB5F8064CB63CC44CC795F8A50652DFD
Malicious:	false
Reputation:	low
Preview:	EA06..n...t..}^g5..f4-F.oW..s..2.3....J.boW....j.#..@.J...K.y.9Ko.ey.[,..../'...)..P.Ndu..uR.....Ew.....g=...+..&c.J.^)6.Q}Y.F...[z..N.....EZg5..;........#+V.."..... .Vi.0...&u..Mj....Q..=.f.G..h..M"oW..].F....L.."9.._=2.....).T......n..{...6....E...S/....Y.X.3.J.2.1.D.@....B.M..L...D......"cY.w..4.b3%.U'.:.2..".huz......@&~.,.r......h..y..&.z../...>...^..D@..z..=0...?..s7...2Y&s..#..V.<..* .Z....0.22."@..K8.!:.D"...4......0.RB..M...P.!7.f.........5.b{}..1. .s5...V0...D.T.u^g?...9\R.E.t.`D..#W...U:..6....>eH.....UM4..E.R+...F...Q..`..`.U.s....1..dw..f..Mj...RIE.."...f.#..)..E^.3...W..f.]...5..r.7....y.f.\|...9%..\.U..l.. .Mo..}T..QbUX..%..j...mX..m........cw...sW..5...A....6.8..E.@...U^3..5..H.Bw...+.z.6..jo2........[80..j..&..,K30..j.9.^.}..o...NmY.F@...6.X......L..f.z\....3.....3..i.:...7..gUzm.W...4.....[k..e.......+..k..Ns...IF.D670..78....oU.S ..%V.E.........U...........0.!?...yt...BF.t.6.6.b\........9.`..[.N*s..V......5"....g.....

C:\Users\user\AppData\Local\Temp\autE8C2.tmp

Download File

Process:	C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe
File Type:	data
Category:	dropped
Size (bytes):	66084
Entropy (8bit):	7.924862087295859
Encrypted:	false
SSDEEP:	1536:bn2bMhIkGzFjmQl+nX1UVZuUpkYBa6584aBVCsJ:sBZFm1UTmYJ5DaBV/J
MD5:	4F8EA62DE975735719994477DF223810
SHA1:	A25AB87F59D1C868F434A64E9ED890719B325806
SHA-256:	D73F1CAC5DE36CE87B953C0C0917CE2F9BE5B4E6DB92DC25C173D23A5B1CFE37
SHA-512:	10B5D652475036E185CA5168E98DFBBECB0DE7238DD81755BFA26ED4951350691BEEA52496FD133325F646D5CF63B34BAB5F8064CB63CC44CC795F8A50652DFD
Malicious:	false
Reputation:	low
Preview:	EA06..n...t..}^g5..f4-F.oW..s..2.3....J.boW....j.#..@.J...K.y.9Ko.ey.[,..../'...)..P.Ndu..uR.....Ew.....g=...+..&c.J.^)6.Q}Y.F...[z..N.....EZg5..;........#+V.."..... .Vi.0...&u..Mj....Q..=.f.G..h..M"oW..].F....L.."9.._=2.....).T......n..{...6....E...S/....Y.X.3.J.2.1.D.@....B.M..L...D......"cY.w..4.b3%.U'.:.2..".huz......@&~.,.r......h..y..&.z../...>...^..D@..z..=0...?..s7...2Y&s..#..V.<..* .Z....0.22."@..K8.!:.D"...4......0.RB..M...P.!7.f.........5.b{}..1. .s5...V0...D.T.u^g?...9\R.E.t.`D..#W...U:..6....>eH.....UM4..E.R+...F...Q..`..`.U.s....1..dw..f..Mj...RIE.."...f.#..)..E^.3...W..f.]...5..r.7....y.f.\|...9%..\.U..l.. .Mo..}T..QbUX..%..j...mX..m........cw...sW..5...A....6.8..E.@...U^3..5..H.Bw...+.z.6..jo2........[80..j..&..,K30..j.9.^.}..o...NmY.F@...6.X......L..f.z\....3.....3..i.:...7..gUzm.W...4.....[k..e.......+..k..Ns...IF.D670..78....oU.S ..%V.E.........U...........0.!?...yt...BF.t.6.6.b\........9.`..[.N*s..V......5"....g.....

C:\Users\user\AppData\Local\Temp\autF749.tmp

Download File

Process:	C:\Users\user\AppData\Local\nonplacental\juvenile.exe
File Type:	data
Category:	dropped
Size (bytes):	66084
Entropy (8bit):	7.924862087295859
Encrypted:	false
SSDEEP:	1536:bn2bMhIkGzFjmQl+nX1UVZuUpkYBa6584aBVCsJ:sBZFm1UTmYJ5DaBV/J
MD5:	4F8EA62DE975735719994477DF223810
SHA1:	A25AB87F59D1C868F434A64E9ED890719B325806
SHA-256:	D73F1CAC5DE36CE87B953C0C0917CE2F9BE5B4E6DB92DC25C173D23A5B1CFE37
SHA-512:	10B5D652475036E185CA5168E98DFBBECB0DE7238DD81755BFA26ED4951350691BEEA52496FD133325F646D5CF63B34BAB5F8064CB63CC44CC795F8A50652DFD
Malicious:	false
Reputation:	low
Preview:	EA06..n...t..}^g5..f4-F.oW..s..2.3....J.boW....j.#..@.J...K.y.9Ko.ey.[,..../'...)..P.Ndu..uR.....Ew.....g=...+..&c.J.^)6.Q}Y.F...[z..N.....EZg5..;........#+V.."..... .Vi.0...&u..Mj....Q..=.f.G..h..M"oW..].F....L.."9.._=2.....).T......n..{...6....E...S/....Y.X.3.J.2.1.D.@....B.M..L...D......"cY.w..4.b3%.U'.:.2..".huz......@&~.,.r......h..y..&.z../...>...^..D@..z..=0...?..s7...2Y&s..#..V.<..* .Z....0.22."@..K8.!:.D"...4......0.RB..M...P.!7.f.........5.b{}..1. .s5...V0...D.T.u^g?...9\R.E.t.`D..#W...U:..6....>eH.....UM4..E.R+...F...Q..`..`.U.s....1..dw..f..Mj...RIE.."...f.#..)..E^.3...W..f.]...5..r.7....y.f.\|...9%..\.U..l.. .Mo..}T..QbUX..%..j...mX..m........cw...sW..5...A....6.8..E.@...U^3..5..H.Bw...+.z.6..jo2........[80..j..&..,K30..j.9.^.}..o...NmY.F@...6.X......L..f.z\....3.....3..i.:...7..gUzm.W...4.....[k..e.......+..k..Ns...IF.D670..78....oU.S ..%V.E.........U...........0.!?...yt...BF.t.6.6.b\........9.`..[.N*s..V......5"....g.....

C:\Users\user\AppData\Local\Temp\starbright

Download File

Process:	C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.813000152426118
Encrypted:	false
SSDEEP:	1536:iN3KSqY7TZH65z76hc56zZSb593HmuydOPXmCVYVJQ71BYewo6:cKSqY7JKfi4AZkwuOOeCVYE71BZV6
MD5:	6B2C7159769E8F1031FC1E48FA33B9C9
SHA1:	5F938E279C3F343E39F43178F1D9EDBA33F13A63
SHA-256:	A6709928307CFAD45154DA85E2F58483C37017655682B59BFAA4B87B74596740
SHA-512:	19C6629892D0F304300770F24A9FDBBCC51606AA214144354CDD0DD9C1DF54CB62A4F7FD3F89119C05D1DBF7467CFC5F511E79A14A793BD052D152835DDC100E
Malicious:	false
Reputation:	low
Preview:	u..YOW35SM1B..7W.8S0YLW3uWM1BWX7WE8S0YLW35WM1BWX7WE8S0YLW35W.1BWV(.K8.9.m.2y.le>+.'7W4B8!wPT9#^6w:Rw7M=.0"wwz.m\-3=.ZH2w0YLW35W.tBW.6TE..LW35WM1B.X5VN9.0Y(V35_M1BWX7i.9S0yLW3.VM1B.X7wE8S2YLS35WM1BW^7WE8S0YL.25WO1BWX7WG83.YLG35GM1BWH7WU8S0YLW#5WM1BWX7WE8..XL.35WM.CW.2WE8S0YLW35WM1BWX7WE.R0ULW35WM1BWX7WE8S0YLW35WM1BWX7WE8S0YLW35WM1BWX7WE8S0YLw35_M1BWX7WE8S0QlW3}WM1BWX7WE8S.-)/G5WMu VX7wE8STXLW15WM1BWX7WE8S0YlW3Uy?B04X7W.=S0Y.V35QM1B1Y7WE8S0YLW35WMqBW..% T<SYL[35WM.CWX5WE8?1YLW35WM1BWX7W.8SrYLW35WM1BWX7WE8S..MW35WMyBWX5W@8..YL..5WN1BW.7WC..0Y.W35WM1BWX7WE8S0YLW35WM1BWX7WE8S0YLW35WM1BWX..7..%$..WM1BWX6UF<U8QLW35WM1B)X7W.8S0.LW3.WM1gWX7:E8S.YLWM5WMOBWXSWE8!0YL635W.1BW77WEVS0Y2W35IO.]WX=}c8Q.yLW95}.BcWX=.D8S4*nW3?.O1BS+.WE2.3YLS@.WM;.SX7S6.S0S.R35SgkBT.!QE8H_aLW95T.$DWX,}c8Q.`LW95}k1A.M1WE#y.YN.:5WI..$E7WC..0YF#:5WO.HWX3}[:{sYL]..)^1BSs7}gFG0YH\|3.u3$BW\.Wo.-&YLS.5}oOUWX3\|E.U.;L%.9W=2-6X7Qm.S0Sd.35QM.xW&9WE<Q_.LW9.}w1j.X7QE..0YJW..W3.BW\.P;.S0]gAM.WM5.Q 7WCK.0YFr..WM5j.X7]E..0q.W33We}BW^

C:\Users\user\AppData\Local\nonplacental\juvenile.exe

Download File

Process:	C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1023488
Entropy (8bit):	6.773119559529159
Encrypted:	false
SSDEEP:	24576:Wu6J33O0c+JY5UZ+XC0kGso6FaKTcandvKoNwRxWY:4u0c++OCvkGs9FaKTldvKs3Y
MD5:	6127B0AB2FAAE8792BE092EF96F1D8CF
SHA1:	674852F4463B50ECB17D7F720CC165773C6CE3F8
SHA-256:	B996D0418D6D8AC7D8F9CE4D09D0EB1F0FD1B30D733499742A41A9C6930521B4
SHA-512:	1ADEB6D14D766C0A28F506E124BCA3058A2D616695CE8853C2EA7DEDF67552DA98ECFFD97F572B6C2C89F4C25D9060928395ACBE83B9CFF720A3308AE6BFE5C1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26% Antivirus: Virustotal, Detection: 24%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....\Zg.........."..................}............@.................................[.....@...@.......@.....................L...\|....p..`........................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...`....p......................@..@.reloc...q.......r...,..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Download File

Process:	C:\Users\user\AppData\Local\nonplacental\juvenile.exe
File Type:	data
Category:	dropped
Size (bytes):	288
Entropy (8bit):	3.374464106698239
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclzXUEZ+lX1mQlTlup7SlpAdA6nriIM8lfQVn:DsO+vNlDQ1mwT01rFmA2n
MD5:	A064933A5774A8BE128FE40650BD66B6
SHA1:	E90991B329DCB55D7463F6C8B8E36FC70924F83D
SHA-256:	B65DF7BAD469F7C12207C44E5EF6E033E4EFC0B526100C5F5CD05129004E227C
SHA-512:	BBF532104B2F4B19707C60D67BC37326DE67168DACEC8053BA67CC96F8EC95A79F86A2809E30C88D7FBE3212415B3B59CA020974FE95A73C16930A22E21A3FB3
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.n.o.n.p.l.a.c.e.n.t.a.l.\.j.u.v.e.n.i.l.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.773119559529159
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	41570002689_20220814_05352297_HesapOzeti.exe
File size:	1'023'488 bytes
MD5:	6127b0ab2faae8792be092ef96f1d8cf
SHA1:	674852f4463b50ecb17d7f720cc165773c6ce3f8
SHA256:	b996d0418d6d8ac7d8f9ce4d09d0eb1f0fd1b30d733499742a41a9c6930521b4
SHA512:	1adeb6d14d766c0a28f506e124bca3058a2d616695ce8853c2ea7dedf67552da98ecffd97f572b6c2c89f4c25d9060928395acbe83b9cff720a3308ae6bfe5c1
SSDEEP:	24576:Wu6J33O0c+JY5UZ+XC0kGso6FaKTcandvKoNwRxWY:4u0c++OCvkGs9FaKTldvKs3Y
TLSH:	0B259D2277DF8360CB669173BF6973016FBB3A650633B8572E840D79E9501631A2C7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	0f4d0d0707692113

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675A5CC6 [Thu Dec 12 03:47:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F7F14EE6E7Ah
jmp 00007F7F14ED9C44h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F7F14ED9DCAh
cmp edi, eax
jc 00007F7F14EDA12Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F7F14ED9DC9h
rep movsb
jmp 00007F7F14EDA0DCh
cmp ecx, 00000080h
jc 00007F7F14ED9F94h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F7F14ED9DD0h
bt dword ptr [004BE324h], 01h
jc 00007F7F14EDA2A0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F7F14ED9F6Dh
test edi, 00000003h
jne 00007F7F14ED9F7Eh
test esi, 00000003h
jne 00007F7F14ED9F5Dh
bt edi, 02h
jnc 00007F7F14ED9DCFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F7F14ED9DD3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F7F14ED9E25h
bt esi, 03h
jnc 00007F7F14ED9E78h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x31560	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf9000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x31560	0x31600	57e5ce6a80e5bd23526d8bfdf3a15b43	False	0.6956190664556962	data	6.920994973673284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf9000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc76a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc77d0	0xe4e8	Device independent bitmap graphic, 217 x 464 x 8, image size 51040, 256 important colors	English	Great Britain	0.08484641638225256
RT_MENU	0xd5cb8	0x50	data	English	Great Britain	0.9
RT_STRING	0xd5d08	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xd629c	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xd6928	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xd6db8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xd73b4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd7a10	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd7e78	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd7fd0	0x20073	data			1.0003735126193907
RT_GROUP_ICON	0xf8044	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf8058	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf806c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf8080	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf8094	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf8170	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-12T07:54:08.418914+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49709	132.226.8.169	80	TCP
2024-12-12T07:54:23.184179+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49748	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 07:54:06.351862907 CET	49709	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:54:06.471498966 CET	80	49709	132.226.8.169	192.168.2.6
Dec 12, 2024 07:54:06.472014904 CET	49709	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:54:06.472090006 CET	49709	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:54:06.591439009 CET	80	49709	132.226.8.169	192.168.2.6
Dec 12, 2024 07:54:07.882858992 CET	80	49709	132.226.8.169	192.168.2.6
Dec 12, 2024 07:54:07.888314962 CET	49709	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:54:08.007642984 CET	80	49709	132.226.8.169	192.168.2.6
Dec 12, 2024 07:54:08.373737097 CET	80	49709	132.226.8.169	192.168.2.6
Dec 12, 2024 07:54:08.418914080 CET	49709	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:54:08.522134066 CET	49711	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:08.522187948 CET	443	49711	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:08.522418022 CET	49711	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:08.561515093 CET	49711	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:08.561528921 CET	443	49711	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:09.781606913 CET	443	49711	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:09.781687021 CET	49711	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:09.785697937 CET	49711	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:09.785712957 CET	443	49711	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:09.786108971 CET	443	49711	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:09.840873957 CET	49711	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:09.865813017 CET	49711	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:09.907351971 CET	443	49711	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:10.217297077 CET	443	49711	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:10.217463970 CET	443	49711	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:10.217578888 CET	49711	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:10.226094961 CET	49711	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:21.082550049 CET	49748	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:54:21.201913118 CET	80	49748	132.226.8.169	192.168.2.6
Dec 12, 2024 07:54:21.202003002 CET	49748	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:54:21.202481031 CET	49748	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:54:21.321846962 CET	80	49748	132.226.8.169	192.168.2.6
Dec 12, 2024 07:54:22.596755028 CET	80	49748	132.226.8.169	192.168.2.6
Dec 12, 2024 07:54:22.601896048 CET	49748	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:54:22.721204996 CET	80	49748	132.226.8.169	192.168.2.6
Dec 12, 2024 07:54:23.129336119 CET	80	49748	132.226.8.169	192.168.2.6
Dec 12, 2024 07:54:23.131937981 CET	49754	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:23.132002115 CET	443	49754	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:23.132102013 CET	49754	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:23.152658939 CET	49754	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:23.152683973 CET	443	49754	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:23.184179068 CET	49748	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:54:24.363145113 CET	443	49754	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:24.363254070 CET	49754	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:24.365120888 CET	49754	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:24.365133047 CET	443	49754	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:24.365413904 CET	443	49754	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:24.416404963 CET	49754	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:24.463345051 CET	443	49754	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:24.815330029 CET	443	49754	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:24.815390110 CET	443	49754	104.21.67.152	192.168.2.6
Dec 12, 2024 07:54:24.815536022 CET	49754	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:54:24.819483995 CET	49754	443	192.168.2.6	104.21.67.152
Dec 12, 2024 07:55:13.371459007 CET	80	49709	132.226.8.169	192.168.2.6
Dec 12, 2024 07:55:13.371670008 CET	49709	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:55:28.085843086 CET	80	49748	132.226.8.169	192.168.2.6
Dec 12, 2024 07:55:28.086055994 CET	49748	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:55:48.388060093 CET	49709	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:55:48.507711887 CET	80	49709	132.226.8.169	192.168.2.6
Dec 12, 2024 07:56:03.137981892 CET	49748	80	192.168.2.6	132.226.8.169
Dec 12, 2024 07:56:03.257579088 CET	80	49748	132.226.8.169	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 07:54:06.195492029 CET	62723	53	192.168.2.6	1.1.1.1
Dec 12, 2024 07:54:06.332453012 CET	53	62723	1.1.1.1	192.168.2.6
Dec 12, 2024 07:54:08.375879049 CET	50527	53	192.168.2.6	1.1.1.1
Dec 12, 2024 07:54:08.513214111 CET	53	50527	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 07:54:06.195492029 CET	192.168.2.6	1.1.1.1	0xd134	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 12, 2024 07:54:08.375879049 CET	192.168.2.6	1.1.1.1	0xfff8	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 07:54:06.332453012 CET	1.1.1.1	192.168.2.6	0xd134	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 07:54:06.332453012 CET	1.1.1.1	192.168.2.6	0xd134	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 12, 2024 07:54:06.332453012 CET	1.1.1.1	192.168.2.6	0xd134	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 12, 2024 07:54:06.332453012 CET	1.1.1.1	192.168.2.6	0xd134	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 12, 2024 07:54:06.332453012 CET	1.1.1.1	192.168.2.6	0xd134	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 12, 2024 07:54:06.332453012 CET	1.1.1.1	192.168.2.6	0xd134	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 12, 2024 07:54:08.513214111 CET	1.1.1.1	192.168.2.6	0xfff8	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 12, 2024 07:54:08.513214111 CET	1.1.1.1	192.168.2.6	0xfff8	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	132.226.8.169	80	4328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 07:54:06.472090006 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 12, 2024 07:54:07.882858992 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 06:54:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
Dec 12, 2024 07:54:07.888314962 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 12, 2024 07:54:08.373737097 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 06:54:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49748	132.226.8.169	80	6104	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 07:54:21.202481031 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 12, 2024 07:54:22.596755028 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 06:54:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
Dec 12, 2024 07:54:22.601896048 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 12, 2024 07:54:23.129336119 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 06:54:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	104.21.67.152	443	4328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 06:54:09 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-12 06:54:10 UTC	878	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 06:54:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 165773 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eeLyx%2FX0m8Jf1NYULgW7PjvCbyJYnXUUC8kJnQoXPVrhzFFkdvyAaQDV%2BBTx6B%2FVGVtE9e0tSVaCW3p6S4SgD2vjRXuxaDvbpYibEfqyf4f2HlbShwEJpnc%2FT3CQE7vdu2FePzUH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0bcd30cf9ec329-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1488&min_rtt=1488&rtt_var=559&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1957104&cwnd=148&unsent_bytes=0&cid=6e5505cb6d51d35e&ts=452&x=0"
2024-12-12 06:54:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49754	104.21.67.152	443	6104	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 06:54:24 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-12 06:54:24 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 06:54:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 165787 Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C2V2BGb%2Fruz41dzF2IWj%2FfAoxUsRQPoraneUXgnsa2q0tywwixN8UB9OOvoZga1RkWQ8e1xYBWwRYxBYCWSFiRJakUpxNNip89JC8PiLAJZDSZSnwl%2B5G51NoI1GNntFFhQN4gEM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0bcd8bf9507c9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1992&min_rtt=1988&rtt_var=754&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1441975&cwnd=188&unsent_bytes=0&cid=dd501220f138ddb3&ts=456&x=0"
2024-12-12 06:54:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	01:53:57
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe"
Imagebase:	0x4d0000
File size:	1'023'488 bytes
MD5 hash:	6127B0AB2FAAE8792BE092EF96F1D8CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:54:00
Start date:	12/12/2024
Path:	C:\Users\user\AppData\Local\nonplacental\juvenile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe"
Imagebase:	0x3c0000
File size:	1'023'488 bytes
MD5 hash:	6127B0AB2FAAE8792BE092EF96F1D8CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2191566788.0000000000510000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs Detection: 24%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:54:04
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\41570002689_20220814_05352297_HesapOzeti.exe"
Imagebase:	0xaf0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3376122410.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3374747417.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	01:54:14
Start date:	12/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs"
Imagebase:	0x7ff769520000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:54:15
Start date:	12/12/2024
Path:	C:\Users\user\AppData\Local\nonplacental\juvenile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\nonplacental\juvenile.exe"
Imagebase:	0x3c0000
File size:	1'023'488 bytes
MD5 hash:	6127B0AB2FAAE8792BE092EF96F1D8CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.2340015646.0000000001390000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:54:19
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\nonplacental\juvenile.exe"
Imagebase:	0x300000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3376008303.0000000002846000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	59

Executed Functions

Function 004D3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004D3B68
IsDebuggerPresent.KERNEL32 ref: 004D3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,005952F8,005952E0,?,?), ref: 004D3BEB

Part of subcall function 004D7BCC: _memmove.LIBCMT ref: 004D7C06

Part of subcall function 004E092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,004D3C14,005952F8,?,?,?), ref: 004E096E

SetCurrentDirectoryW.KERNEL32(?), ref: 004D3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00587770,00000010), ref: 0050D281
SetCurrentDirectoryW.KERNEL32(?,005952F8,?,?,?), ref: 0050D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00584260,005952F8,?,?,?), ref: 0050D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0050D346

Part of subcall function 004D3A46: GetSysColorBrush.USER32(0000000F), ref: 004D3A50
Part of subcall function 004D3A46: LoadCursorW.USER32(00000000,00007F00), ref: 004D3A5F
Part of subcall function 004D3A46: LoadIconW.USER32(00000063), ref: 004D3A76
Part of subcall function 004D3A46: LoadIconW.USER32(000000A4), ref: 004D3A88
Part of subcall function 004D3A46: LoadIconW.USER32(000000A2), ref: 004D3A9A
Part of subcall function 004D3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004D3AC0
Part of subcall function 004D3A46: RegisterClassExW.USER32(?), ref: 004D3B16

Part of subcall function 004D39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004D3A03
Part of subcall function 004D39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004D3A24
Part of subcall function 004D39D5: ShowWindow.USER32(00000000,?,?), ref: 004D3A38
Part of subcall function 004D39D5: ShowWindow.USER32(00000000,?,?), ref: 004D3A41

Part of subcall function 004D434A: _memset.LIBCMT ref: 004D4370
Part of subcall function 004D434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004D4415

Strings

%V, xrefs: 004D3C44
runas, xrefs: 0050D33A
This is a third-party compiled AutoIt script., xrefs: 0050D279

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%V
API String ID: 529118366-709440564
Opcode ID: 0c43af94178ccf8c3bff88da2fb5dde13e0bb2f4a47d22572fdea2429e837a02
Instruction ID: 68d0f6d7d9f79de597e50381689dfff907e2cb5fdc3d4046e8de05b541a91bb0
Opcode Fuzzy Hash: 0c43af94178ccf8c3bff88da2fb5dde13e0bb2f4a47d22572fdea2429e837a02
Instruction Fuzzy Hash: DE511575908248AEDF02EFF5DC259ED7B78BF54705F0040ABF811A23A1EA785609DB26

Function 004D49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004D49CD

Part of subcall function 004D7BCC: _memmove.LIBCMT ref: 004D7C06

GetCurrentProcess.KERNEL32(?,0055FAEC,00000000,00000000,?), ref: 004D4A9A
IsWow64Process.KERNEL32(00000000), ref: 004D4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 004D4AE7
FreeLibrary.KERNEL32(00000000), ref: 004D4AF2
GetSystemInfo.KERNEL32(00000000), ref: 004D4B23
GetSystemInfo.KERNEL32(00000000), ref: 004D4B2F

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: cabb79f10d9d5c1502debf126d4eecff7db46f59248648796f9be0022624d489
Instruction ID: 07ae514d16b65392e000a1a25b92af53894be3d9142ba2a853db96426643baaf
Opcode Fuzzy Hash: cabb79f10d9d5c1502debf126d4eecff7db46f59248648796f9be0022624d489
Instruction Fuzzy Hash: 3C9193319897C0DBC731DBA895601AABFF5BF7A300B4449AFD0C693B41D234A508D76E

Function 004D4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004D4D8E,?,?,00000000,00000000), ref: 004D4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004D4D8E,?,?,00000000,00000000), ref: 004D4EB0
LoadResource.KERNEL32(?,00000000,?,?,004D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,004D4E2F), ref: 0050D937
SizeofResource.KERNEL32(?,00000000,?,?,004D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,004D4E2F), ref: 0050D94C
LockResource.KERNEL32(004D4D8E,?,?,004D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,004D4E2F,00000000), ref: 0050D95F

Strings

SCRIPT, xrefs: 004D4EA6

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ce72b5bd2a0f501170d30415e38a0c7febea822db17bb8fbd10372fb01bf3bef
Instruction ID: de99f9cc84b5af5ca4df5cd96e344e05a4da4565a220768d2898c441c12d413e
Opcode Fuzzy Hash: ce72b5bd2a0f501170d30415e38a0c7febea822db17bb8fbd10372fb01bf3bef
Instruction Fuzzy Hash: 19115EB5240700BFD7218B65EC58F677BBAFBC5B12F20426AF405C6290DB71E8049661

Function 004DFCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pbY, xrefs: 005149B9
%V, xrefs: 004DFCF3

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbY$%V
API String ID: 3964851224-3875331166
Opcode ID: 500593a86b3685402906487ee4bd64411d083f36b47676925352554be7a8e6fe
Instruction ID: 6857828d09fdafd36566effb6d1c6620fe6d3e43679b5d1324233154dfad0db6
Opcode Fuzzy Hash: 500593a86b3685402906487ee4bd64411d083f36b47676925352554be7a8e6fe
Instruction Fuzzy Hash: 35927D705083819FD720DF25C490B6BBBE1BF85304F14896EE89A8B352D779EC85CB96

Function 004DE6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

DdY, xrefs: 00513AF5
DdY, xrefs: 00513B2E
DdY, xrefs: 004DEABA
Variable must be of type 'Object'., xrefs: 00513E62
DdY, xrefs: 004DEAC1

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID: DdY$DdY$DdY$DdY$Variable must be of type 'Object'.
API String ID: 0-2238133445
Opcode ID: 7a62a4f2d1e59fce6b34d052255674957348d43f9c666ef6185e33dec2a6bf87
Instruction ID: cb9e8dc4d3f3c4783ac10f0beaeabf892f476ba354dbd3a2befc2f81776e767f
Opcode Fuzzy Hash: 7a62a4f2d1e59fce6b34d052255674957348d43f9c666ef6185e33dec2a6bf87
Instruction Fuzzy Hash: CCA28D74A00206CBDB24EF55C4A0AAEBBB1FF59314F24805BE8059F351D739ED86CB95

Function 0053445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0050E398), ref: 0053446A
FindFirstFileW.KERNELBASE(?,?), ref: 0053447B
FindClose.KERNEL32(00000000), ref: 0053448B

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 270e899620bcc91c83452f8b652298702b162f0ab65cff1b634311c182e83fb4
Instruction ID: 47465a687d235f4ef7a9950f6d976f19f2802848a303eea7ec81aecfff71868a
Opcode Fuzzy Hash: 270e899620bcc91c83452f8b652298702b162f0ab65cff1b634311c182e83fb4
Instruction Fuzzy Hash: 22E0D8764106006756106B38EC0D4ED7B5CAE15336F100B25F936C20E0E7747904AB96

Function 004E09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004E0A5B
timeGetTime.WINMM ref: 004E0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004E0E53
Sleep.KERNEL32(0000000A), ref: 004E0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 004E0EFA
DestroyWindow.USER32 ref: 004E0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004E0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00514E83
TranslateMessage.USER32(?), ref: 00515C60
DispatchMessageW.USER32(?), ref: 00515C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00515C82

Strings

@TRAY_ID, xrefs: 0051578F
pbY, xrefs: 00514F59
@GUI_CTRLID, xrefs: 00514F3A
@COM_EVENTOBJ, xrefs: 005154F0
@GUI_CTRLHANDLE, xrefs: 00514FE4
@GUI_WINHANDLE, xrefs: 00514F8F
pbY, xrefs: 005157B4
pbY, xrefs: 00514FAE
pbY, xrefs: 00515003

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbY$pbY$pbY$pbY
API String ID: 4212290369-3391711730
Opcode ID: 66e914d28b40779ea5531fd23c2146df0b41c6d6c63beaae9ccf523ca94e84da
Instruction ID: 50f3b78e88921d418a773705334ee91404bd54c22ed6e0e0dd4e59f2ef52710f
Opcode Fuzzy Hash: 66e914d28b40779ea5531fd23c2146df0b41c6d6c63beaae9ccf523ca94e84da
Instruction Fuzzy Hash: C0B2E570608741DFEB24DF25C894BAABBE4FF84304F14491EF499972A1D7B4E884DB86

Function 00539155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00538F5F: __time64.LIBCMT ref: 00538F69

Part of subcall function 004D4EE5: _fseek.LIBCMT ref: 004D4EFD

__wsplitpath.LIBCMT ref: 00539234

Part of subcall function 004F40FB: __wsplitpath_helper.LIBCMT ref: 004F413B

_wcscpy.LIBCMT ref: 00539247
_wcscat.LIBCMT ref: 0053925A
__wsplitpath.LIBCMT ref: 0053927F
_wcscat.LIBCMT ref: 00539295
_wcscat.LIBCMT ref: 005392A8

Part of subcall function 00538FA5: _memmove.LIBCMT ref: 00538FDE
Part of subcall function 00538FA5: _memmove.LIBCMT ref: 00538FED

_wcscmp.LIBCMT ref: 005391EF

Part of subcall function 00539734: _wcscmp.LIBCMT ref: 00539824
Part of subcall function 00539734: _wcscmp.LIBCMT ref: 00539837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00539452
_wcsncpy.LIBCMT ref: 005394C5
DeleteFileW.KERNEL32(?,?), ref: 005394FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00539511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00539522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00539534

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 1cef77bf5a88a7134b1d53d272983e0375d631c194c8e1ae4c79e3fd9ca8d350
Instruction ID: bc7bf2228608b0849ae79e24a1d4e1b0f0e36b17108bf0ab5b6b72548a76697f
Opcode Fuzzy Hash: 1cef77bf5a88a7134b1d53d272983e0375d631c194c8e1ae4c79e3fd9ca8d350
Instruction Fuzzy Hash: D0C15CB1D00219ABDF21DF95CC85EEEBBB8EF85304F0044AAF609E6251DB749A448F65

Function 004D3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004D3074
RegisterClassExW.USER32(00000030), ref: 004D309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004D30AF
InitCommonControlsEx.COMCTL32(?), ref: 004D30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004D30DC
LoadIconW.USER32(000000A9), ref: 004D30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004D3101

Strings

AutoIt v3 GUI, xrefs: 004D3090
TaskbarCreated, xrefs: 004D30A4
0, xrefs: 004D3056
+, xrefs: 004D305D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d120bbb4a6bd88a840327cdf716515ea7177f8dc60882c0243655600860a999f
Instruction ID: 16b558b4653ff845794fcc57b6b6600b0d48378f2c6c7cf1499c2d874f2db0f4
Opcode Fuzzy Hash: d120bbb4a6bd88a840327cdf716515ea7177f8dc60882c0243655600860a999f
Instruction Fuzzy Hash: D53156B1801348AFDB018FA4E898ADEBBF4FB19310F24416AE480E62A0E3B50559DF51

Function 004D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004D3074
RegisterClassExW.USER32(00000030), ref: 004D309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004D30AF
InitCommonControlsEx.COMCTL32(?), ref: 004D30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004D30DC
LoadIconW.USER32(000000A9), ref: 004D30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004D3101

Strings

AutoIt v3 GUI, xrefs: 004D3090
TaskbarCreated, xrefs: 004D30A4
0, xrefs: 004D3056
+, xrefs: 004D305D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 951214933f217dff3d00c6d687ab443a8404645579a317e0eb4a6afd03315a41
Instruction ID: 2f12aa775b148f682391e60e4801a7098cb8a4b86cd51853ce174c844a226fd6
Opcode Fuzzy Hash: 951214933f217dff3d00c6d687ab443a8404645579a317e0eb4a6afd03315a41
Instruction Fuzzy Hash: E021F4B1911308AFDB01DFA4EC98BDEBBF4FB18701F14412BF911A62A0E7B14558AF91

Function 004D708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004D4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005952F8,?,004D37AE,?), ref: 004D4724

Part of subcall function 004F050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,004D7165), ref: 004F052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004D71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0050E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0050E909
RegCloseKey.ADVAPI32(?), ref: 0050E947
_wcscat.LIBCMT ref: 0050E9A0

Strings

\, xrefs: 0050E9C3
Include, xrefs: 0050E8BF, 0050E900
Software\AutoIt v3\AutoIt, xrefs: 004D719E
\Include\, xrefs: 004D7165

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 28be6543172bcb08493b92a6806506ee1f30bb4f5bef65eb417639b1850f00f3
Instruction ID: 53acd262eac0a1e3ca949519951b974091a4e325bb8f6d409270ce64fba6eba4
Opcode Fuzzy Hash: 28be6543172bcb08493b92a6806506ee1f30bb4f5bef65eb417639b1850f00f3
Instruction Fuzzy Hash: 88718D755083019ECB00EF66E8619AFBBE8FF94354F40092FF445872A0EB74994CDB56

Function 004D3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004D36D2
KillTimer.USER32(?,00000001), ref: 004D36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004D371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004D372A
CreatePopupMenu.USER32 ref: 004D373E
PostQuitMessage.USER32(00000000), ref: 004D374D

Strings

TaskbarCreated, xrefs: 004D3725
%V, xrefs: 0050D081, 0050D0CF

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%V
API String ID: 129472671-3392457207
Opcode ID: cb93ad023653b3f9406cf4f4a2a284db82f788d0b15e5f3fe5724740b8d1b59f
Instruction ID: e3f97dc8cadf82fc08da7ab09497d173e13b883bd33dfdb5c0d199f3bce9efb3
Opcode Fuzzy Hash: cb93ad023653b3f9406cf4f4a2a284db82f788d0b15e5f3fe5724740b8d1b59f
Instruction Fuzzy Hash: E44117B1110905BBDF216F64DC39B7E3FA4FB14302F10012BF502963E1EA689E59A76B

Function 004D3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004D3A50
LoadCursorW.USER32(00000000,00007F00), ref: 004D3A5F
LoadIconW.USER32(00000063), ref: 004D3A76
LoadIconW.USER32(000000A4), ref: 004D3A88
LoadIconW.USER32(000000A2), ref: 004D3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004D3AC0
RegisterClassExW.USER32(?), ref: 004D3B16

Part of subcall function 004D3041: GetSysColorBrush.USER32(0000000F), ref: 004D3074
Part of subcall function 004D3041: RegisterClassExW.USER32(00000030), ref: 004D309E
Part of subcall function 004D3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004D30AF
Part of subcall function 004D3041: InitCommonControlsEx.COMCTL32(?), ref: 004D30CC
Part of subcall function 004D3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004D30DC
Part of subcall function 004D3041: LoadIconW.USER32(000000A9), ref: 004D30F2
Part of subcall function 004D3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004D3101

Strings

AutoIt v3, xrefs: 004D3B05
#, xrefs: 004D3AFB
0, xrefs: 004D3AF4

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f1771e40ce534f5584d9ce8f577efcb7e100372b73545a31edf1e83270693e75
Instruction ID: 5a0dea1a556d916ebca386812b302ee4fbbf5c84694d2dfb11fa7a6ccc2de9b6
Opcode Fuzzy Hash: f1771e40ce534f5584d9ce8f577efcb7e100372b73545a31edf1e83270693e75
Instruction Fuzzy Hash: 49216D78D10304AFEF12DFA4EC19B9D7BB0FB18712F05015BE504A62A1E3B55568AF84

Function 004D3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 004D38BC
CMDLINE, xrefs: 004D3822
/AutoIt3ExecuteLine, xrefs: 004D38A7
RY, xrefs: 0050D213
/ErrorStdOut, xrefs: 004D387D
CMDLINERAW, xrefs: 004D37FB
/AutoIt3OutputDebug, xrefs: 004D3892
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 004D37AE

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RY
API String ID: 1825951767-2271991516
Opcode ID: c2b2086d4bb27a3be3e1540a3087373af5fdba95f293a5c32ba812369474a9f3
Instruction ID: ad1a5bf841bcc7b0bc5caa8c2ef44d612247b11f5f5ec889e0e67a6a99245626
Opcode Fuzzy Hash: c2b2086d4bb27a3be3e1540a3087373af5fdba95f293a5c32ba812369474a9f3
Instruction Fuzzy Hash: 1AA15E7191021D9ACF05EFA5DCA1AEEBB79BF14304F44042FF415A7291EF786A08CB65

Function 004DF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004F0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004F0193
Part of subcall function 004F0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 004F019B
Part of subcall function 004F0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004F01A6
Part of subcall function 004F0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004F01B1
Part of subcall function 004F0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004F01B9
Part of subcall function 004F0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004F01C1

Part of subcall function 004E60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,004DF930), ref: 004E6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004DF9CD
OleInitialize.OLE32(00000000), ref: 004DFA4A
CloseHandle.KERNEL32(00000000), ref: 005145C8

Strings

\TY, xrefs: 004DF7F7
<WY, xrefs: 004DF930
%V, xrefs: 004DF796, 004DF7A8, 004DF96E, 004DFA51
SY, xrefs: 004DF7EB

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <WY$\TY$%V$SY
API String ID: 1986988660-1288501804
Opcode ID: ccf759b34bd10d945990a8b9d66f6a9be3d5d052983572cedc26db27293e36f7
Instruction ID: b64ee56608b113ffbc48bb9c83229bf89110df7646f8ffb5d0747925f5bcd17f
Opcode Fuzzy Hash: ccf759b34bd10d945990a8b9d66f6a9be3d5d052983572cedc26db27293e36f7
Instruction Fuzzy Hash: 9681EDB0901A408FCB86DF7AA9506197BE5FB68346752852FE00CCB362F77444ACEF55

Function 017EB968 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 017EB9AD

Memory Dump Source

Source File: 00000000.00000002.2147174968.00000000017EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17eb000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 0f23ed620e1f9c4d0f362189ef308a8e6349e2b37c95093ad88b45e70294dbc1
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 0B51E775A50208FBEF20DFA4CC49FDEBBB9AF4C701F108554F61AEB180DA749A448B60

Function 004D39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004D3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004D3A24
ShowWindow.USER32(00000000,?,?), ref: 004D3A38
ShowWindow.USER32(00000000,?,?), ref: 004D3A41

Strings

AutoIt v3, xrefs: 004D39FB, 004D3A00, 004D3A01
edit, xrefs: 004D3A1E

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f4caff667d448bc791df88e6b7e4956ddcb7af8185466fe6d8baed60674fad3b
Instruction ID: dc5d4ed5d587732509f4e5000b2e73842a4142bde28511cc9558d2e47fdfee8a
Opcode Fuzzy Hash: f4caff667d448bc791df88e6b7e4956ddcb7af8185466fe6d8baed60674fad3b
Instruction Fuzzy Hash: A4F03A745006907EEE325723AC18E2B2E7DE7DAF51B02002BB900A21B0D2611828EBB0

Function 004D407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0050D3D7

Part of subcall function 004D7BCC: _memmove.LIBCMT ref: 004D7C06

_memset.LIBCMT ref: 004D40FC
_wcscpy.LIBCMT ref: 004D4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004D4160

Strings

Line: , xrefs: 0050D400

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 9f5dfdf65540fbf43074ea2255d31d3fde79fb802e8c3b042beaa775d1e86ebe
Instruction ID: e1d605c594156ef31e339f4f03cc8da4da6cc86402e3010c75c06d54b941cb07
Opcode Fuzzy Hash: 9f5dfdf65540fbf43074ea2255d31d3fde79fb802e8c3b042beaa775d1e86ebe
Instruction Fuzzy Hash: 5031E471008704AFD722EB60DC55FEB77D8AF50308F10451FF68592291EB78A658C79A

Function 004F541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004F547B
_memcpy_s.LIBCMT ref: 004F54ED
__read_nolock.LIBCMT ref: 004F554B
__filbuf.LIBCMT ref: 004F556E
_memset.LIBCMT ref: 004F55B2

Part of subcall function 004F8B28: __getptd_noexit.LIBCMT ref: 004F8B28

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 922d2de7433fb6224f1b14356d8af3785d2831daf24b0ad9cb633e8655bdc2ec
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: CD51E430A00B0DEBCB248EA9D84067F77B2AF40325F24872BFB25963D4D7789D518B49

Function 004D686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 004D4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004D4E0F

_free.LIBCMT ref: 0050E263
_free.LIBCMT ref: 0050E2AA

Part of subcall function 004D6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 004D6BAD

Strings

Bad directive syntax error, xrefs: 0050E292
>>>AUTOIT SCRIPT<<<, xrefs: 0050E039

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: f145d7fb0471c0eed4b1fe7919a841772d9ecfae93ade44aab6d715fe9e45c81
Instruction ID: 830bf86caaacf227ece0c78a21456cebd744ed06f282fa54a57e4d76edd7652e
Opcode Fuzzy Hash: f145d7fb0471c0eed4b1fe7919a841772d9ecfae93ade44aab6d715fe9e45c81
Instruction Fuzzy Hash: F3917E7190021AAFCF14EFA5C8A69EDBBB4FF05314F14482FF815AB2A1DB74A905CB54

Function 017ED438 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

Part of subcall function 017ED328: Sleep.KERNELBASE(000001F4), ref: 017ED339

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017ED566

Strings

8S0YLW35WM1BWX7WE, xrefs: 017ED5E6, 017ED5E9

Memory Dump Source

Source File: 00000000.00000002.2147174968.00000000017EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17eb000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CreateFileSleep
String ID: 8S0YLW35WM1BWX7WE
API String ID: 2694422964-1546470529
Opcode ID: 1377e9902c86d5a2d21af7e07e83a0fac37812e3c4cf212f8c414f58b6ed0dcf
Instruction ID: aa46b5fb0413a66313fef92493ff59f8044ff3a44d8ce1c75048fb487eae656e
Opcode Fuzzy Hash: 1377e9902c86d5a2d21af7e07e83a0fac37812e3c4cf212f8c414f58b6ed0dcf
Instruction Fuzzy Hash: AE51A230D04248DBEF11DBE4C818BEEBBB9AF59304F104199E648BB2C0D7B91B44CB65

Function 004D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004D35A1,SwapMouseButtons,00000004,?), ref: 004D35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,004D35A1,SwapMouseButtons,00000004,?,?,?,?,004D2754), ref: 004D35F5
RegCloseKey.KERNELBASE(00000000,?,?,004D35A1,SwapMouseButtons,00000004,?,?,?,?,004D2754), ref: 004D3617

Strings

Control Panel\Mouse, xrefs: 004D35D2

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 74061f7764a56c2ee55b4192d07861ac51cec28ad55edf059dac31129f6560ce
Instruction ID: a374c1df2ba534786be23463a64453bf885e7ad7cffd09e6450b236f6f5cd0f1
Opcode Fuzzy Hash: 74061f7764a56c2ee55b4192d07861ac51cec28ad55edf059dac31129f6560ce
Instruction Fuzzy Hash: B6113675510208BADB20CF64DC54EAFB7A8EF04741F00446AA805D7310D2719E44A765

Function 0053955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 004D4EE5: _fseek.LIBCMT ref: 004D4EFD

Part of subcall function 00539734: _wcscmp.LIBCMT ref: 00539824
Part of subcall function 00539734: _wcscmp.LIBCMT ref: 00539837

_free.LIBCMT ref: 005396A2
_free.LIBCMT ref: 005396A9
_free.LIBCMT ref: 00539714

Part of subcall function 004F2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,004F9A24), ref: 004F2D69
Part of subcall function 004F2D55: GetLastError.KERNEL32(00000000,?,004F9A24), ref: 004F2D7B

_free.LIBCMT ref: 0053971C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
Instruction ID: 6bd383362979648502c84ab83990b5f64de643d15224ae275e06baf0fabcb8bf
Opcode Fuzzy Hash: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
Instruction Fuzzy Hash: AE514EB1D04219ABDF249F65CC85AAEBBB9FF88304F10049EF209A3351DB755A80CF58

Function 004F470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004F47A0
__flush.LIBCMT ref: 004F47C0
__write.LIBCMT ref: 004F47F3
__flsbuf.LIBCMT ref: 004F4821

Part of subcall function 004F8B28: __getptd_noexit.LIBCMT ref: 004F8B28

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: aad2f5e608f8efba43aac6e934a71f9fe2258905eab53e1ccdd764cf28e9f888
Instruction ID: 663192a92ff02313ae8476a22515602c7d7db0d05279839d554db014a59f2253
Opcode Fuzzy Hash: aad2f5e608f8efba43aac6e934a71f9fe2258905eab53e1ccdd764cf28e9f888
Instruction Fuzzy Hash: 7A41B478A0064D9BDB18AE69C88097B7BE5EFC23A4B14813FE61587740DF78DD418B48

Function 004D44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D44CF

Part of subcall function 004D407C: _memset.LIBCMT ref: 004D40FC
Part of subcall function 004D407C: _wcscpy.LIBCMT ref: 004D4150
Part of subcall function 004D407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004D4160

KillTimer.USER32(?,00000001,?,?), ref: 004D4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004D4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0050D4B9

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: e08b5c24bbf6ced906aa2f1abd4e26c80ee91a1b180fb50c0629e0e4c30397d5
Instruction ID: da0776afad01fef50a62061713fb19dab986d3c9058e8a3b3ce13d0f3ca90909
Opcode Fuzzy Hash: e08b5c24bbf6ced906aa2f1abd4e26c80ee91a1b180fb50c0629e0e4c30397d5
Instruction Fuzzy Hash: 1121F874504794AFEB328B649865BEBBFECAB15304F04049FE78E56281C3B82988DB55

Function 004D4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004D4CBA

Strings

EA06, xrefs: 0050D8CC
AU3!P/V, xrefs: 004D4CB4

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/V$EA06
API String ID: 4104443479-2157958978
Opcode ID: f9502eb05a0195143df6a623f526aeec80195127d70db672ff1defa1106de35f
Instruction ID: 6a936002ac3b1b16a5effeb4af8a18594c152e7b81bb6f8f5f61b77bc2862f7e
Opcode Fuzzy Hash: f9502eb05a0195143df6a623f526aeec80195127d70db672ff1defa1106de35f
Instruction Fuzzy Hash: 1E415C31A041586BDF219B5588B17BF7FA3DFC5304F28447BE8829B382D63C5D4587AA

Function 004D7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0050EA39
GetOpenFileNameW.COMDLG32(?), ref: 0050EA83

Part of subcall function 004D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004D4743,?,?,004D37AE,?), ref: 004D4770

Part of subcall function 004F0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004F07B0

Strings

X, xrefs: 0050EA51

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: f05b997fc45cf2968a69eba954f2fc54cdd6be0d5276ebb34e628db3087e2179
Instruction ID: 6c6c0ca58ebf4394e485286b032bc2d432a55608b6d2336ce60e015d073320fd
Opcode Fuzzy Hash: f05b997fc45cf2968a69eba954f2fc54cdd6be0d5276ebb34e628db3087e2179
Instruction Fuzzy Hash: 0121C330A002489BCB519F94CC55BEE7BF8AF48314F00405BE908B7381DBB859898FA5

Function 00538D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00538DAC
__fread_nolock.LIBCMT ref: 00538DC1

Strings

EA06, xrefs: 00538DF3

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 3910ff1ab612e3eb69d7cacb03054a0632b450e941383be964ca2f78b22e0163
Instruction ID: d9f67cf9b97766e4c8e760294e974a7b855ae36fd0a6f35ba1c7bc38778267f3
Opcode Fuzzy Hash: 3910ff1ab612e3eb69d7cacb03054a0632b450e941383be964ca2f78b22e0163
Instruction Fuzzy Hash: AC01F9718042187EDB18CAA9CC16EFE7FF8DB11301F00459FF652D2181E878E6048B60

Function 017EC048 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 017EC08D
ExitProcess.KERNEL32(00000000), ref: 017EC0AC

Strings

D, xrefs: 017EC059

Memory Dump Source

Source File: 00000000.00000002.2147174968.00000000017EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17eb000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
Instruction ID: 276d6a6da22388908bad867e8034093175584cad8c5ded853409cbe3ac8ca910
Opcode Fuzzy Hash: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
Instruction Fuzzy Hash: 06F0F47554024CABDB60DFE4CC4DFEE77BCBF48701F448508FB199A144DA7495488B61

Function 005398E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 005398F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0053990F

Strings

aut, xrefs: 00539909

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: daf08db16408a9db2be21e404b25e381640c1b754e2550634761f68c931b1fb4
Instruction ID: 9ffd211735a7363fb33791f0cd5b66e1c1ec9718971c32f720682057a01bef77
Opcode Fuzzy Hash: daf08db16408a9db2be21e404b25e381640c1b754e2550634761f68c931b1fb4
Instruction Fuzzy Hash: 25D05B7954030D6BDB50AB90DC0DF96773CE714701F4006B1BE5495091D97055589B91

Function 0054CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c85962d91403b89f2a3e31ca0a7a2c0900cb3b65514779b2fb77cef6bf2000f
Instruction ID: bf0be7408bc414e0af2657fd9f39f07f3cb5624ac9a3bf7ad731de98160dbd33
Opcode Fuzzy Hash: 2c85962d91403b89f2a3e31ca0a7a2c0900cb3b65514779b2fb77cef6bf2000f
Instruction Fuzzy Hash: F4F12270A083419FCB54DF29C494A6ABBE5FFC8318F14892EF8999B251D734E945CF82

Function 004D434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004D4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 004D4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 004D4432

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: f863695b81fa55c2292ec90d4f4cc6ea94e6e3d7f330d42372bc381719d19d89
Instruction ID: 1abfb8d110aa08814a1e0ff5e145e96104fd3e8b0060969abf2bc24ebac48362
Opcode Fuzzy Hash: f863695b81fa55c2292ec90d4f4cc6ea94e6e3d7f330d42372bc381719d19d89
Instruction Fuzzy Hash: AD317370604701DFDB21DF24D89569BBBF8FB98309F00092FF69A82351E775A948CB56

Function 004F571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 004F5733

Part of subcall function 004FA16B: __NMSG_WRITE.LIBCMT ref: 004FA192
Part of subcall function 004FA16B: __NMSG_WRITE.LIBCMT ref: 004FA19C

__NMSG_WRITE.LIBCMT ref: 004F573A

Part of subcall function 004FA1C8: GetModuleFileNameW.KERNEL32(00000000,005933BA,00000104,?,00000001,00000000), ref: 004FA25A
Part of subcall function 004FA1C8: ___crtMessageBoxW.LIBCMT ref: 004FA308

Part of subcall function 004F309F: ___crtCorExitProcess.LIBCMT ref: 004F30A5
Part of subcall function 004F309F: ExitProcess.KERNEL32 ref: 004F30AE

Part of subcall function 004F8B28: __getptd_noexit.LIBCMT ref: 004F8B28

RtlAllocateHeap.NTDLL(01750000,00000000,00000001,00000000,?,?,?,004F0DD3,?), ref: 004F575F

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: a6bca90e8da7f37fd2c201161dc2b72e6f6feac7abcee219ce02059efdf8268e
Instruction ID: 9216733a517b9b9024e084ef460037f672d4a1e3e9bd4e9f587b03a8098fb739
Opcode Fuzzy Hash: a6bca90e8da7f37fd2c201161dc2b72e6f6feac7abcee219ce02059efdf8268e
Instruction Fuzzy Hash: 8B01D235300B09DADA113B36EC42A3F73C8CB52366F11002FF7059A281DE7C9C01966E

Function 005398A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00539548,?,?,?,?,?,00000004), ref: 005398BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00539548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 005398D1
CloseHandle.KERNEL32(00000000,?,00539548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005398D8

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 028d1f3bab40914ad5efa17e5854da8a15f75bf7bd1a29bcb3ef228634bde7f1
Instruction ID: c84df53aed042b9b9102c101925bfc8e439fbf90bf638b3f9cd2ead1f4b1e506
Opcode Fuzzy Hash: 028d1f3bab40914ad5efa17e5854da8a15f75bf7bd1a29bcb3ef228634bde7f1
Instruction Fuzzy Hash: FAE08632141714B7E7212B54EC09FCA7F19AB56762F104120FB14A90E087B11515A798

Function 00538D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00538D1B

Part of subcall function 004F2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,004F9A24), ref: 004F2D69
Part of subcall function 004F2D55: GetLastError.KERNEL32(00000000,?,004F9A24), ref: 004F2D7B

_free.LIBCMT ref: 00538D2C
_free.LIBCMT ref: 00538D3E

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction ID: 2bf8bd6a1842d575b51d22af26a2f29ad3f2297e88efa6d662b0b4a93f337e30
Opcode Fuzzy Hash: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction Fuzzy Hash: 55E012A160170A46CB28A5B9AA41AB317DC5F58356B140D1EB50DD7186CEA8F8428128

Function 004DA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0050FC01

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 6e74bb82090920542cf6804d1b4356272465da4aac274ba3c77d84429d62e9e2
Instruction ID: 3630b96c1d478f210c4ef0080947b953d5e01565c56dfb48b42a15c277d45343
Opcode Fuzzy Hash: 6e74bb82090920542cf6804d1b4356272465da4aac274ba3c77d84429d62e9e2
Instruction Fuzzy Hash: D3225A70508201DFDB24DF14C4A4A6ABBE1FF85704F15895FE88A8B362D739EC55CB8A

Function 004D7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004D7AAB
_memmove.LIBCMT ref: 004D7B16

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction ID: c1933a7f83ab0e074f9d09de4ca1eb45ad68e8008ec4e4c8c8fb53b5bbb79714
Opcode Fuzzy Hash: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction Fuzzy Hash: 9231C4B5604606AFC704DF68C8E1D6AB3A9FF48324714862FE519CB391EB34E911CB94

Function 004D47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 004D4834

Part of subcall function 004F336C: __lock.LIBCMT ref: 004F3372
Part of subcall function 004F336C: DecodePointer.KERNEL32(00000001,?,004D4849,00527C74), ref: 004F337E
Part of subcall function 004F336C: EncodePointer.KERNEL32(?,?,004D4849,00527C74), ref: 004F3389

Part of subcall function 004D48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004D4915
Part of subcall function 004D48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004D492A

Part of subcall function 004D3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004D3B68
Part of subcall function 004D3B3A: IsDebuggerPresent.KERNEL32 ref: 004D3B7A
Part of subcall function 004D3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,005952F8,005952E0,?,?), ref: 004D3BEB
Part of subcall function 004D3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 004D3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004D4874

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: b7f4f0b6fba7c08f0db558b2901915cab86398b3f9c6646f64c2fe08e7e70060
Instruction ID: 223aa3df83247bbd01faca363568c2364081034c329a19c21e5a6f96878fd654
Opcode Fuzzy Hash: b7f4f0b6fba7c08f0db558b2901915cab86398b3f9c6646f64c2fe08e7e70060
Instruction Fuzzy Hash: 7911CD718183459BCB00EF7AE84580ABFE8EFA9744F01451FF444932B1DB74990CEB96

Function 004F0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004F571C: __FF_MSGBANNER.LIBCMT ref: 004F5733
Part of subcall function 004F571C: __NMSG_WRITE.LIBCMT ref: 004F573A
Part of subcall function 004F571C: RtlAllocateHeap.NTDLL(01750000,00000000,00000001,00000000,?,?,?,004F0DD3,?), ref: 004F575F

std::exception::exception.LIBCMT ref: 004F0DEC
__CxxThrowException@8.LIBCMT ref: 004F0E01

Part of subcall function 004F859B: RaiseException.KERNEL32(?,?,?,00589E78,00000000,?,?,?,?,004F0E06,?,00589E78,?,00000001), ref: 004F85F0

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 91218e49e05e06271f29c9a1d31a8285876db86ef75b57d29bab543fdae216df
Instruction ID: 389b0e6b8bfd7d21b6b0eddb708c26bf1bc8600aa22213d45823b129a3490237
Opcode Fuzzy Hash: 91218e49e05e06271f29c9a1d31a8285876db86ef75b57d29bab543fdae216df
Instruction Fuzzy Hash: DBF0813590021E66CB10BA95EC019FF7BACAF01355F10442FFE04A6282EF749A418699

Function 004F55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004F562C
__lock_file.LIBCMT ref: 004F564D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: c55416721b364861451ea43d12909c7938cff4e1a173e2439538f8e78e64aec4
Instruction ID: 5d44d19361986d50088b56a7a0b4f68c27f022a976e347a7a3fb2a287eac1da3
Opcode Fuzzy Hash: c55416721b364861451ea43d12909c7938cff4e1a173e2439538f8e78e64aec4
Instruction Fuzzy Hash: 1901FC71800A0CEBDF12AF668C028BF7B61AF50325F40411FFB285A251DB798511DF59

Function 004F53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004F8B28: __getptd_noexit.LIBCMT ref: 004F8B28

__lock_file.LIBCMT ref: 004F53EB

Part of subcall function 004F6C11: __lock.LIBCMT ref: 004F6C34

__fclose_nolock.LIBCMT ref: 004F53F6

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 651040cf2a3d543b961a82040b225b354de4dd7b3475126c8e42ab0644334a8e
Instruction ID: deac2dcb4c6e87e63caa84c2503dbbe2f3e3e5d7865098d44eb1b6c5326274b2
Opcode Fuzzy Hash: 651040cf2a3d543b961a82040b225b354de4dd7b3475126c8e42ab0644334a8e
Instruction Fuzzy Hash: 6BF09671900A1C9ADB117B7A98057BE66A06F41378F21810FAB64AB1C1CBFC49419B5A

Function 017EC0B8 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 017EB928: GetFileAttributesW.KERNELBASE(?), ref: 017EB933

CreateDirectoryW.KERNELBASE(?,00000000), ref: 017EC226

Memory Dump Source

Source File: 00000000.00000002.2147174968.00000000017EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17eb000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: c817dc248cde4a311451995c351a46fd6d2fe654b79f368826001baea0eda2d5
Instruction ID: fe31b82da1b33926126d1762dff733f8d8f3e4c5f6acb3951b3dcd4f9f385932
Opcode Fuzzy Hash: c817dc248cde4a311451995c351a46fd6d2fe654b79f368826001baea0eda2d5
Instruction Fuzzy Hash: B361C531A1020D97EF14EFA0C848BEFB3BAEF58700F004568A60DE7294EB359A45CB65

Function 004F0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 004F0CB7

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: eebd211a61a3b5e46e6fc2f174aac2511879540927d669653b6a5429ea21d5e4
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7131F5B4A001499BC71CDF08C48497AF7A6FB89300B2487A6E90ACB356D735EDC1DBC9

Function 0050FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0050FCB7

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 689b960993a7ccfea7c8f9e4cb4946bf7abe00e0213d609a46bdf9091c4d0651
Instruction ID: 04bcead99ae41d2983df8e54afb690773cac7d6b0ab3ff36911bfb3a7e3e343b
Opcode Fuzzy Hash: 689b960993a7ccfea7c8f9e4cb4946bf7abe00e0213d609a46bdf9091c4d0651
Instruction Fuzzy Hash: EA411674504341DFDB24DF24C464B1ABBE1BF85318F0988AEE8998B762C735EC45CB96

Function 004D7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004D7BB3

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c30f0078b3e1e38e80ea412082d0d44d95e991fc52fc61120eec2eee7085d555
Instruction ID: 1eb177f3b37630928dab9f736bfd8cc4649a598671186f79bbc38bf27514ce68
Opcode Fuzzy Hash: c30f0078b3e1e38e80ea412082d0d44d95e991fc52fc61120eec2eee7085d555
Instruction Fuzzy Hash: 87212772A04A09EBEB144F21E84266E7FB4FB24354F34882FE845D52A1EB319490E709

Function 004D4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004D4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 004D4BEF

Part of subcall function 004F525B: __wfsopen.LIBCMT ref: 004F5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004D4E0F

Part of subcall function 004D4B6A: FreeLibrary.KERNEL32(00000000), ref: 004D4BA4

Part of subcall function 004D4C70: _memmove.LIBCMT ref: 004D4CBA

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: c93466964032225423b2bd61910d03dd6baede6de4e19e0e8677429ad0f35845
Instruction ID: cd4a14b1700165454c931c0df0dcccae759644d14daf4093b1f516b3eda65df3
Opcode Fuzzy Hash: c93466964032225423b2bd61910d03dd6baede6de4e19e0e8677429ad0f35845
Instruction Fuzzy Hash: D011E731600205BBCF10BFB1CC26F6D77A4AFC4714F10842FF545A7281DA799A059B55

Function 0050FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0050FD91

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f46cf0b8e434da6731cd8fa7d8f67c5c8b5b956c22b547d83add5b22f07a976e
Instruction ID: 5581d45b623f53d50823f5b015cd072a8db9fab9ef8251b25101b71399e640bc
Opcode Fuzzy Hash: f46cf0b8e434da6731cd8fa7d8f67c5c8b5b956c22b547d83add5b22f07a976e
Instruction Fuzzy Hash: B3213574908301DFCB14DF24C464A1ABBE1BF88314F05896EE98987762C735E815CB97

Function 004F4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 004F48A6

Part of subcall function 004F8B28: __getptd_noexit.LIBCMT ref: 004F8B28

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 8b398e23ac30b6fc86c250008a6db7436f63885410e2ae92e707d9a1c1ba5574
Instruction ID: 45bde31a65ed861fed310024a087e4ede92376b467bdc2ebd48be6815acf7d50
Opcode Fuzzy Hash: 8b398e23ac30b6fc86c250008a6db7436f63885410e2ae92e707d9a1c1ba5574
Instruction Fuzzy Hash: A4F0F43190024CABDF11BFB58C057BF36A0AF40368F05840EB6109A181CFBC8951DB49

Function 004D4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004D4E7E

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9e151e6b94fe8ea10b8d771e806f563c4fbcd0f65a37178c6c8394c89f1c0ef7
Instruction ID: cfc1ad5a8dafdb2fb11d8caa4edc6221b2de5ac15348e79199383c19200a194f
Opcode Fuzzy Hash: 9e151e6b94fe8ea10b8d771e806f563c4fbcd0f65a37178c6c8394c89f1c0ef7
Instruction Fuzzy Hash: FAF03971501B11EFCB349F65E4A4823BBE1BFA43293208A3FE2D682720C73A9844DF45

Function 004F0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004F07B0

Part of subcall function 004D7BCC: _memmove.LIBCMT ref: 004D7C06

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: e26a7f2c5ca18a84c4333203a7d5a251e55fe289765ef1cca4abca9721b6317a
Instruction ID: 5fedfd435cec320040d7d0c0dd271e96998b1a05242cfb8288ac0f6fd1c50ab1
Opcode Fuzzy Hash: e26a7f2c5ca18a84c4333203a7d5a251e55fe289765ef1cca4abca9721b6317a
Instruction Fuzzy Hash: 43E0867690422857C720A6699C05FEA77DDDBC87A1F0441B7FD0CD7244D964AC808695

Function 00538E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00538EC1

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 18dcbd72414faec867240fcb0451ee7e92b6f2a7762adbd6f3f72f9f3a0f136a
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 8CE092B0104B045FD7398A24D800BB377E5BB05305F04081DF2AA83241EB6278459759

Function 017EB928 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 017EB933

Memory Dump Source

Source File: 00000000.00000002.2147174968.00000000017EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17eb000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 43b60f7bea5a40b2a15530e422d34b9b1fb9ba5a12a2eeeab6aaf22707c6c78d
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 01E08631546109DBDB50CAB889886ADBBE4A708320F004664A519C3280D6309A04D660

Function 017EB8F8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 017EB903

Memory Dump Source

Source File: 00000000.00000002.2147174968.00000000017EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17eb000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 88d04bcde3376c18c60b34cd9e161905e0c52788eda29c96c06139dd63ee7d2e
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: B8D0A73190520CEFCB20CFB89D08ADDB7E8D709320F004795FD15C3280D6359E00A790

Function 004F525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 004F5266

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 9096091fdc55c8f8972c670755d927564a49785f08568f6a3ecf7a0ff06ed32f
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 0AB0927644020C77CE012A82FC02A593F199B41768F408061FB0C18162A677A6649A89

Function 017ED324 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 017ED339

Memory Dump Source

Source File: 00000000.00000002.2147174968.00000000017EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17eb000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 4286cdfde560e9ce207af882e1596059ed92c35338c256286595cf5d31c13bd4
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 5BE09A7594010DEFDB10DFA4D54969D7BB4EF04301F1005A1FD0596681DA309A548A62

Function 017ED328 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 017ED339

Memory Dump Source

Source File: 00000000.00000002.2147174968.00000000017EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17eb000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 554fd5117f2f75b490dda60bc3d519c14659aed85f6bb243b199823681424bfd
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: E5E0BF7594010DDFDB00DFA4D54969D7BF4EF04301F100161FD0192281D63099508A62

Non-executed Functions

Function 0055CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004D2612: GetWindowLongW.USER32(?,000000EB), ref: 004D2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0055CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0055CB95
GetWindowLongW.USER32(?,000000F0), ref: 0055CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0055CC00
SendMessageW.USER32 ref: 0055CC29
_wcsncpy.LIBCMT ref: 0055CC95
GetKeyState.USER32(00000011), ref: 0055CCB6
GetKeyState.USER32(00000009), ref: 0055CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0055CCD9
GetKeyState.USER32(00000010), ref: 0055CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0055CD0C
SendMessageW.USER32 ref: 0055CD33
SendMessageW.USER32(?,00001030,?,0055B348), ref: 0055CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0055CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0055CE60
SetCapture.USER32(?), ref: 0055CE69
ClientToScreen.USER32(?,?), ref: 0055CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0055CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0055CEF5
ReleaseCapture.USER32 ref: 0055CF00
GetCursorPos.USER32(?), ref: 0055CF3A
ScreenToClient.USER32(?,?), ref: 0055CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0055CFA3
SendMessageW.USER32 ref: 0055CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0055D00E
SendMessageW.USER32 ref: 0055D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0055D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0055D06D
GetCursorPos.USER32(?), ref: 0055D08D
ScreenToClient.USER32(?,?), ref: 0055D09A
GetParent.USER32(?), ref: 0055D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0055D123
SendMessageW.USER32 ref: 0055D154
ClientToScreen.USER32(?,?), ref: 0055D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0055D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0055D20C
SendMessageW.USER32 ref: 0055D22F
ClientToScreen.USER32(?,?), ref: 0055D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0055D2B5

Part of subcall function 004D25DB: GetWindowLongW.USER32(?,000000EB), ref: 004D25EC

GetWindowLongW.USER32(?,000000F0), ref: 0055D351

Strings

F, xrefs: 0055D235
@GUI_DRAGID, xrefs: 0055CE9C
pbY, xrefs: 0055CEAF

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbY
API String ID: 3977979337-282858137
Opcode ID: 4b53dcccb679871875b4ddd115b8a2adc180fd2d3d1c4e7ea6a8fe67e0a133aa
Instruction ID: ee649e3e7e3d0b006dad43e339a18b81c8fd8f8762431ff92c13ff5d28a036d5
Opcode Fuzzy Hash: 4b53dcccb679871875b4ddd115b8a2adc180fd2d3d1c4e7ea6a8fe67e0a133aa
Instruction Fuzzy Hash: 7442BD34204340AFDB21CF64C868AAABFE5FF49322F54091EF956872B0D731D858EB52

Function 004E6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004E71C3
_memset.LIBCMT ref: 004E7539
_memmove.LIBCMT ref: 004E76AC

Strings

]X, xrefs: 00521A22
[:>:]], xrefs: 004E7492
3cN, xrefs: 005223A0
_N, xrefs: 005223CB
DEFINE, xrefs: 00522103
Q\E, xrefs: 004E7FCB
P\X, xrefs: 00521AB8
\b(?<=\w), xrefs: 00523773
\b(?=\w), xrefs: 00523769
[:<:]], xrefs: 004E7479

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]X$3cN$DEFINE$P\X$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_N
API String ID: 1357608183-3356755941
Opcode ID: 6214e7fed979e0b24ac711017dc9c6e870f6825d2e3befde2268b0e6d6aca50b
Instruction ID: 8bc16f0782cb768df595f4e53bed7e1b19acb792d3eb5a412bdef614e0e6b682
Opcode Fuzzy Hash: 6214e7fed979e0b24ac711017dc9c6e870f6825d2e3befde2268b0e6d6aca50b
Instruction Fuzzy Hash: 4A93B375E00229DBDB24CF58D881BADBBB1FF49310F25856AE905AB3C1E7749E81CB44

Function 004D48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 004D48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0050D665
IsIconic.USER32(?), ref: 0050D66E
ShowWindow.USER32(?,00000009), ref: 0050D67B
SetForegroundWindow.USER32(?), ref: 0050D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0050D69B
GetCurrentThreadId.KERNEL32 ref: 0050D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0050D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0050D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0050D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0050D6CF
SetForegroundWindow.USER32(?), ref: 0050D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0050D6E7
keybd_event.USER32(00000012,00000000), ref: 0050D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0050D6FC
keybd_event.USER32(00000012,00000000), ref: 0050D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0050D70A
keybd_event.USER32(00000012,00000000), ref: 0050D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0050D719
keybd_event.USER32(00000012,00000000), ref: 0050D71E
SetForegroundWindow.USER32(?), ref: 0050D721
AttachThreadInput.USER32(?,?,00000000), ref: 0050D748

Strings

Shell_TrayWnd, xrefs: 0050D660

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c5b0b0b2ace8e469f14c378e36a3a86cb700a2b8138238f5989827858029dc7d
Instruction ID: 883d1f201e467ada154f35d1b5918bd1b4c258b048de4a752cca11228e8e20c3
Opcode Fuzzy Hash: c5b0b0b2ace8e469f14c378e36a3a86cb700a2b8138238f5989827858029dc7d
Instruction Fuzzy Hash: 47317E71A80318BBEB206BA19C89F7F7E6CEB54B51F104025FA05EB1D1DAB15901ABB1

Function 00528310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 005287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0052882B
Part of subcall function 005287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00528858
Part of subcall function 005287E1: GetLastError.KERNEL32 ref: 00528865

_memset.LIBCMT ref: 00528353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 005283A5
CloseHandle.KERNEL32(?), ref: 005283B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005283CD
GetProcessWindowStation.USER32 ref: 005283E6
SetProcessWindowStation.USER32(00000000), ref: 005283F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0052840A

Part of subcall function 005281CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00528309), ref: 005281E0
Part of subcall function 005281CB: CloseHandle.KERNEL32(?,?,00528309), ref: 005281F2

Strings

default, xrefs: 00528405
winsta0, xrefs: 005283C8
, xrefs: 00528362

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 53ad1c297e98cc2fa47afdf999a4431c310cd60a00e29fbe35fbccd8796b414e
Instruction ID: 393ebbce73a713e187aa476d430f327e1d097cabc97e98e246b2407081150f18
Opcode Fuzzy Hash: 53ad1c297e98cc2fa47afdf999a4431c310cd60a00e29fbe35fbccd8796b414e
Instruction Fuzzy Hash: CF813771902219BFDF119FA4EC49AFE7FB9FF09304F144169F910A62A1DB358A14DB60

Function 0053C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0053C78D
FindClose.KERNEL32(00000000), ref: 0053C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0053C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0053C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0053C844
__swprintf.LIBCMT ref: 0053C890
__swprintf.LIBCMT ref: 0053C8D3

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

__swprintf.LIBCMT ref: 0053C927

Part of subcall function 004F3698: __woutput_l.LIBCMT ref: 004F36F1

__swprintf.LIBCMT ref: 0053C975

Part of subcall function 004F3698: __flsbuf.LIBCMT ref: 004F3713
Part of subcall function 004F3698: __flsbuf.LIBCMT ref: 004F372B

__swprintf.LIBCMT ref: 0053C9C4
__swprintf.LIBCMT ref: 0053CA13
__swprintf.LIBCMT ref: 0053CA62

Strings

%02d, xrefs: 0053C91B, 0053C925, 0053C973, 0053C9C2, 0053CA11, 0053CA60
%4d, xrefs: 0053C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 0053C88A

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: ef481866ebe539f1cb4031e5cf777420a0fe4b442b6e7cae4832589a504fc59e
Instruction ID: c41f8118f0b37c0a40f46a7624a15835b10a6472fe46b5b80d9a7fb73e6afd21
Opcode Fuzzy Hash: ef481866ebe539f1cb4031e5cf777420a0fe4b442b6e7cae4832589a504fc59e
Instruction Fuzzy Hash: 42A11AB1508244ABD710EFA5C895DAFB7ECFF94708F40091FF585D6291EA34DA08CB66

Function 0053EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0053EFB6
_wcscmp.LIBCMT ref: 0053EFCB
_wcscmp.LIBCMT ref: 0053EFE2
GetFileAttributesW.KERNEL32(?), ref: 0053EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0053F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0053F026
FindClose.KERNEL32(00000000), ref: 0053F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0053F04D
_wcscmp.LIBCMT ref: 0053F074
_wcscmp.LIBCMT ref: 0053F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0053F09D
SetCurrentDirectoryW.KERNEL32(00588920), ref: 0053F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0053F0C5
FindClose.KERNEL32(00000000), ref: 0053F0D2
FindClose.KERNEL32(00000000), ref: 0053F0E4

Strings

*.*, xrefs: 0053F048

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: d56dee223c8510d5ec565f413fcc77782c2ceeb9a20ac031275d1f1cbde11cd6
Instruction ID: 12b5b37c2c7f814375ae7757d902a544e70270a22d32a6f5b85892312d317b15
Opcode Fuzzy Hash: d56dee223c8510d5ec565f413fcc77782c2ceeb9a20ac031275d1f1cbde11cd6
Instruction Fuzzy Hash: F13105369002187ADB18EFB8DC5CAEE7BACAF44321F000176F801E30A1DB74DA44DB55

Function 00550857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00550953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0055F910,00000000,?,00000000,?,?), ref: 005509C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00550A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00550A92
RegCloseKey.ADVAPI32(?), ref: 00550DB2
RegCloseKey.ADVAPI32(00000000), ref: 00550DBF

Strings

REG_BINARY, xrefs: 00550D4D
REG_MULTI_SZ, xrefs: 00550B7A
REG_EXPAND_SZ, xrefs: 00550A2F
REG_SZ, xrefs: 00550AD0
REG_QWORD, xrefs: 00550D00
REG_DWORD, xrefs: 00550C83

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: b2134bcaa951b89255add18b6c006c39a1fd67ecab701a453c75a13699e125ab
Instruction ID: ec7d30c5a98d765254cff9e6f8c1cda404435477bb9270c716c3b61b4d4bceac
Opcode Fuzzy Hash: b2134bcaa951b89255add18b6c006c39a1fd67ecab701a453c75a13699e125ab
Instruction Fuzzy Hash: 8A025E756006119FCB14EF15C865E2ABBE5FF89714F04885EF88A9B3A2DB34EC05CB85

Function 004E66E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

pGW, xrefs: 004E6751
3cN, xrefs: 004E68FF
0FW, xrefs: 004E6747
0DW, xrefs: 004E6733
_N, xrefs: 00521465, 0052150C, 005215B4
NO_START_OPT), xrefs: 0052114F
NO_AUTO_POSSESS), xrefs: 0052112E
LIMIT_RECURSION=, xrefs: 005211FC
0EW, xrefs: 004E673D
ANY), xrefs: 005212DE
BSR_ANYCRLF), xrefs: 0052131E
BSR_UNICODE), xrefs: 00521338
UTF16), xrefs: 005210CF
LF), xrefs: 005212A4
UTF), xrefs: 005210FA
CR), xrefs: 00521287
UCP), xrefs: 0052110D
ANYCRLF), xrefs: 005212FB
CRLF), xrefs: 005212C1
LIMIT_MATCH=, xrefs: 00521170

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID: 0DW$0EW$0FW$3cN$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGW$_N
API String ID: 0-2751122855
Opcode ID: 6578b618748d3d00058befb65603386ead9dab4f68e06618b71a13a272443719
Instruction ID: 91eef0d1836464a92e5a987274c146cc21ef5a76d71742b2863c3e4f00cd3af5
Opcode Fuzzy Hash: 6578b618748d3d00058befb65603386ead9dab4f68e06618b71a13a272443719
Instruction Fuzzy Hash: 36729271E00669DBDF14CF59D8807AEBBB5FF65311F1481AAE809EB280D7349D81CB98

Function 0053F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0053F113
_wcscmp.LIBCMT ref: 0053F128
_wcscmp.LIBCMT ref: 0053F13F

Part of subcall function 00534385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005343A0

FindNextFileW.KERNEL32(00000000,?), ref: 0053F16E
FindClose.KERNEL32(00000000), ref: 0053F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0053F195
_wcscmp.LIBCMT ref: 0053F1BC
_wcscmp.LIBCMT ref: 0053F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0053F1E5
SetCurrentDirectoryW.KERNEL32(00588920), ref: 0053F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0053F20D
FindClose.KERNEL32(00000000), ref: 0053F21A
FindClose.KERNEL32(00000000), ref: 0053F22C

Strings

*.*, xrefs: 0053F190

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 83e000535e8a997c6afd7f35f127a0ed7627665982cb11b3433cae936783ac3b
Instruction ID: 6eb0570a1947f051fc2776006c7b5ff6efb199bdcbfb3be856a288dea655b659
Opcode Fuzzy Hash: 83e000535e8a997c6afd7f35f127a0ed7627665982cb11b3433cae936783ac3b
Instruction Fuzzy Hash: CC31B57A900219BADB10AFA4EC59EEF7BACAF45361F100176F910E20A0DB30DE49DB54

Function 0053A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0053A20F
__swprintf.LIBCMT ref: 0053A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0053A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0053A293
_memset.LIBCMT ref: 0053A2B2
_wcsncpy.LIBCMT ref: 0053A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0053A323
CloseHandle.KERNEL32(00000000), ref: 0053A32E
RemoveDirectoryW.KERNEL32(?), ref: 0053A337
CloseHandle.KERNEL32(00000000), ref: 0053A341

Strings

\??\%s, xrefs: 0053A22B
:, xrefs: 0053A252
\, xrefs: 0053A247

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: b2a48cda17d2cd95505c34bc4dacdd5d0afcc6e06d4aa9bff134d76ce6b9f599
Instruction ID: 1d9305004b3b2ce697013bff026d15acc87cbcbf7f08bdb5a1465784bcc31e94
Opcode Fuzzy Hash: b2a48cda17d2cd95505c34bc4dacdd5d0afcc6e06d4aa9bff134d76ce6b9f599
Instruction Fuzzy Hash: BA31B0B5900209ABDB219FA0DC49FEF3BBCFF89701F1045B6FA08D6160EB7496448B25

Function 0053001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00530097
SetKeyboardState.USER32(?), ref: 00530102
GetAsyncKeyState.USER32(000000A0), ref: 00530122
GetKeyState.USER32(000000A0), ref: 00530139
GetAsyncKeyState.USER32(000000A1), ref: 00530168
GetKeyState.USER32(000000A1), ref: 00530179
GetAsyncKeyState.USER32(00000011), ref: 005301A5
GetKeyState.USER32(00000011), ref: 005301B3
GetAsyncKeyState.USER32(00000012), ref: 005301DC
GetKeyState.USER32(00000012), ref: 005301EA
GetAsyncKeyState.USER32(0000005B), ref: 00530213
GetKeyState.USER32(0000005B), ref: 00530221

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 64b79dfda6f3ca7b77b6f49bbb58c8095714ba50d636371223412ab9b5ed74f5
Instruction ID: ba4b50358a04f56bde85bccdd320a0bbfb875069058e7452c8e8bf91cae26833
Opcode Fuzzy Hash: 64b79dfda6f3ca7b77b6f49bbb58c8095714ba50d636371223412ab9b5ed74f5
Instruction Fuzzy Hash: F051EA3090478929FB35DBB488687EBBFB4AF01380F48559ED9C2575C3DAA49B8CC761

Function 005503DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00550E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0054FDAD,?,?), ref: 00550E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005504AC

Part of subcall function 004D9837: __itow.LIBCMT ref: 004D9862
Part of subcall function 004D9837: __swprintf.LIBCMT ref: 004D98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0055054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005505E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00550822
RegCloseKey.ADVAPI32(00000000), ref: 0055082F

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: a2381514d0c6a6a9bf244e07f9faf51ccc2e5f4319ffb05c24e69f3356d5be63
Instruction ID: afec84c6af679b68173fd70443749022e5b6e880ce84c43850256accb36f9a2a
Opcode Fuzzy Hash: a2381514d0c6a6a9bf244e07f9faf51ccc2e5f4319ffb05c24e69f3356d5be63
Instruction Fuzzy Hash: 62E15E71604214AFCB14DF25C8A5D2ABBE4FF89715F04896EF84ADB2A1DB30ED05CB91

Function 00544164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0054418B
EmptyClipboard.USER32 ref: 00544191
GlobalAlloc.KERNEL32(00000002,?), ref: 005441A6
CloseClipboard.USER32 ref: 00544245

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d49cfcdd08c4ee5bcca0e55b23a8d84935b3e491cf66e91eef6351204958c6a1
Instruction ID: 738a16f5ed0b6ad48aaad9a960e9f1dec7345614cdabee6a5f7774c4fe0445da
Opcode Fuzzy Hash: d49cfcdd08c4ee5bcca0e55b23a8d84935b3e491cf66e91eef6351204958c6a1
Instruction Fuzzy Hash: 7A21B2792402119FDB10AF24EC29B6E7BA8FF55719F10802AF946DB2A1DB74AC04EF54

Function 005337EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004D4743,?,?,004D37AE,?), ref: 004D4770

Part of subcall function 00534A31: GetFileAttributesW.KERNEL32(?,0053370B), ref: 00534A32

FindFirstFileW.KERNEL32(?,?), ref: 005338A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0053394B
MoveFileW.KERNEL32(?,?), ref: 0053395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0053397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0053399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 005339B9

Strings

\*.*, xrefs: 0053384E, 00533857, 0053386C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 749c9350ad2e31e1049fb8909e9f168d944ccbc6bf3d26d502bf8b103a94376f
Instruction ID: 21b2e286cedd3feb0ee9371c86d8d7764e3e930d8701ac89178ef1a261d77e19
Opcode Fuzzy Hash: 749c9350ad2e31e1049fb8909e9f168d944ccbc6bf3d26d502bf8b103a94376f
Instruction Fuzzy Hash: 6951917180514DAACF01EFA5C9A29EDBB79BF10314F6000AAE40277291EF356F0DCB64

Function 0053F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0053F440
Sleep.KERNEL32(0000000A), ref: 0053F470
_wcscmp.LIBCMT ref: 0053F484
_wcscmp.LIBCMT ref: 0053F49F
FindNextFileW.KERNEL32(?,?), ref: 0053F53D
FindClose.KERNEL32(00000000), ref: 0053F553

Strings

*.*, xrefs: 0053F425

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 3ed3e469aaa4cec15b629b4bb0e306fed619b34cb7d7370350ffd0654f494d12
Instruction ID: 9b84a5424baba0fc48cb6ab917433c0493c0263e34f6619dfaef085dbbfe8154
Opcode Fuzzy Hash: 3ed3e469aaa4cec15b629b4bb0e306fed619b34cb7d7370350ffd0654f494d12
Instruction Fuzzy Hash: 8F415C71D0021AAFCF14EFA4DC59AEEBBB4FF15314F14446AE815A3291EB349A44CB50

Function 004E3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3cN, xrefs: 004E3225
_N, xrefs: 004E3322

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cN$_N
API String ID: 674341424-2844543080
Opcode ID: 73ee91857daa3dd153b36ce544a778d20b6fb18318de696c8e1e42386d8aa59e
Instruction ID: 64e014cd1dd0a328c658850b9eb20cd4d77cbb583bcaffa74a6c262f2f745370
Opcode Fuzzy Hash: 73ee91857daa3dd153b36ce544a778d20b6fb18318de696c8e1e42386d8aa59e
Instruction Fuzzy Hash: 2622A8716083408FD725DF15C895BABBBE4BF84309F00492EF99A97281DB38E945CB96

Function 004E5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004E58A5
_memmove.LIBCMT ref: 004E58F5
_memmove.LIBCMT ref: 004E595B

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5fd4faa6861cde907ae3f63738efc9d96eec9cd0e82f51b17196c9a820b9ff07
Instruction ID: 46b8c3d4b64db618f56f7bca363da4abf7abbb19abba1d9814262462c70f4ea4
Opcode Fuzzy Hash: 5fd4faa6861cde907ae3f63738efc9d96eec9cd0e82f51b17196c9a820b9ff07
Instruction Fuzzy Hash: 64129E70A00619DFDF04DFA6D981AEEB7F5FF48304F10452AE806E7292EB39A915CB54

Function 00533B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004D4743,?,?,004D37AE,?), ref: 004D4770

Part of subcall function 00534A31: GetFileAttributesW.KERNEL32(?,0053370B), ref: 00534A32

FindFirstFileW.KERNEL32(?,?), ref: 00533B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00533BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00533BEA
FindClose.KERNEL32(00000000), ref: 00533C01
FindClose.KERNEL32(00000000), ref: 00533C0A

Strings

\*.*, xrefs: 00533B5B

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: ac69e2ff42fd14435c870b424c56260e70b48859f11dadae0e63ae001a390fca
Instruction ID: 134466bbb81846ce65e2b0434864125c839cac7eee878bb95291546945b1bda9
Opcode Fuzzy Hash: ac69e2ff42fd14435c870b424c56260e70b48859f11dadae0e63ae001a390fca
Instruction Fuzzy Hash: 7C317E710083859BC301EF64D8A58AFBBA8BE91318F444D6FF4D592291EB25DA0CDB67

Function 005351BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0052882B
Part of subcall function 005287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00528858
Part of subcall function 005287E1: GetLastError.KERNEL32 ref: 00528865

ExitWindowsEx.USER32(?,00000000), ref: 005351F9

Strings

SeShutdownPrivilege, xrefs: 005351C9
, xrefs: 005351E7
@, xrefs: 005351EC

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 81ce7e91244d82368abe62a5696d3cdfa7dea7bf0562745d4c425b8ff8899745
Instruction ID: 588590970cd1af76cb687870bf3c5312a6498d63e89880e4b54bdc06727232f1
Opcode Fuzzy Hash: 81ce7e91244d82368abe62a5696d3cdfa7dea7bf0562745d4c425b8ff8899745
Instruction Fuzzy Hash: 3D0126397916126BF72862A8AC9EFBB7FA8FB05341F641820F903E30D2FA515C008690

Function 00546283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005462DC
WSAGetLastError.WSOCK32(00000000), ref: 005462EB
bind.WSOCK32(00000000,?,00000010), ref: 00546307
listen.WSOCK32(00000000,00000005), ref: 00546316
WSAGetLastError.WSOCK32(00000000), ref: 00546330
closesocket.WSOCK32(00000000,00000000), ref: 00546344

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: cc31a6162e5c9818ab4f4ef7b0f58fc2b21ac68107f875a856276c705f0655bd
Instruction ID: 9960a3d52d3453e875b71a2259bc95ea018675173578b70581530ac44f020f31
Opcode Fuzzy Hash: cc31a6162e5c9818ab4f4ef7b0f58fc2b21ac68107f875a856276c705f0655bd
Instruction Fuzzy Hash: 1621CE34600204AFCB00EF64C859BAEBBA9FF49729F14455AF816E73D1C770AC05DB51

Function 004E5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 004F0DB6: std::exception::exception.LIBCMT ref: 004F0DEC
Part of subcall function 004F0DB6: __CxxThrowException@8.LIBCMT ref: 004F0E01

_memmove.LIBCMT ref: 00520258
_memmove.LIBCMT ref: 0052036D
_memmove.LIBCMT ref: 00520414

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: f8add75d8d9fca074ccd03c973b6b990809cd67c73b3b015aaf9914f12624c36
Instruction ID: 6cf598a0432abc358fdc6adc2f216d5b6cd5d40d78eb5868b94381e2869f607f
Opcode Fuzzy Hash: f8add75d8d9fca074ccd03c973b6b990809cd67c73b3b015aaf9914f12624c36
Instruction Fuzzy Hash: B002D0B0A00219DBCF04DF65D981ABE7BB5FF45304F54806AE80ADB396EB38D950CB95

Function 004D1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 004D2612: GetWindowLongW.USER32(?,000000EB), ref: 004D2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 004D19FA
GetSysColor.USER32(0000000F), ref: 004D1A4E
SetBkColor.GDI32(?,00000000), ref: 004D1A61

Part of subcall function 004D1290: DefDlgProcW.USER32(?,00000020,?), ref: 004D12D8

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 03f9ff4914c7dfc1ea9e39ccf87d63f378182db9a913955c9648eb24fb6f773f
Instruction ID: 67a6c5c215a23a9cbff94e7f34b797013c86fe65055210e38c2117c01251cd16
Opcode Fuzzy Hash: 03f9ff4914c7dfc1ea9e39ccf87d63f378182db9a913955c9648eb24fb6f773f
Instruction Fuzzy Hash: CEA139B1206545BEE628AB294CB8D7F2D9CEB81346B14051BFD02D53F6DA2C9D02D37A

Function 0053BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0053BCE6
_wcscmp.LIBCMT ref: 0053BD16
_wcscmp.LIBCMT ref: 0053BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 0053BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0053BD6C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: f24805fc08362c14d039a0185acbf42a2a71c05f542110e812d8bd1de90f84c1
Instruction ID: e650777194d296ee01252c9f30719ef0c607ce9bda8c523bdf4556d5db0b8784
Opcode Fuzzy Hash: f24805fc08362c14d039a0185acbf42a2a71c05f542110e812d8bd1de90f84c1
Instruction Fuzzy Hash: 5F519A75A046029FD714DF28C4A1EAABBE4FF49324F004A5EFA56873A1DB34ED04CB91

Function 00546747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00547D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00547DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0054679E
WSAGetLastError.WSOCK32(00000000), ref: 005467C7
bind.WSOCK32(00000000,?,00000010), ref: 00546800
WSAGetLastError.WSOCK32(00000000), ref: 0054680D
closesocket.WSOCK32(00000000,00000000), ref: 00546821

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: a8d27b9824f9ee8571ff7de3493f4546963da9fd7dd8d92e016b529a3ddbe9fb
Instruction ID: 7f80e56db129ed0ad6c39f8d33bb48dbf6743801598084bcf56dcaf9e13ca65a
Opcode Fuzzy Hash: a8d27b9824f9ee8571ff7de3493f4546963da9fd7dd8d92e016b529a3ddbe9fb
Instruction Fuzzy Hash: 8C41B175A002106FDB10BF658896F7E77A8EF49B18F04845EF915EB3C2CA74AD009795

Function 00555376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005553C5
IsWindowEnabled.USER32 ref: 005553D3
GetForegroundWindow.USER32(?,?,00000001), ref: 005553E0
IsIconic.USER32 ref: 005553EE
IsZoomed.USER32 ref: 005553FC

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2513214a5e1c2ecc83c7eb7d867b8ba62363e4990eebdc3fec9582fd3837d8d6
Instruction ID: d349bf22dd85100251351966a6fe82e11d7a31a0c277ccb28df3e868b3393b35
Opcode Fuzzy Hash: 2513214a5e1c2ecc83c7eb7d867b8ba62363e4990eebdc3fec9582fd3837d8d6
Instruction Fuzzy Hash: 3011E6313006119BDB216F26DC74A1E7F98FF447A2B41483BFC09D3241EB74AC059694

Function 005280A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005280C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005280CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005280D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005280E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005280F6

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7c56b12ead701024c7631f256a191591e7e1f020de0b03b7cb345f65c28eeda4
Instruction ID: 880f33bfb778bfffd2860ce1590155200d09b02109f9fd6e270f0de88f0990df
Opcode Fuzzy Hash: 7c56b12ead701024c7631f256a191591e7e1f020de0b03b7cb345f65c28eeda4
Instruction Fuzzy Hash: 3DF04F31246314AFEB100FA5EC9DE7B3FACFF4A756B040025F945C61E0CA619C55EB60

Function 0053C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0053C432
CoCreateInstance.OLE32(00562D6C,00000000,00000001,00562BDC,?), ref: 0053C44A

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

CoUninitialize.OLE32 ref: 0053C6B7

Strings

.lnk, xrefs: 0053C3C6, 0053C3EE, 0053C3F8

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 1b6a7176494b52c713fbef10a0528a86e90abcbc0a3888b84c69bf9441db2cd7
Instruction ID: 27978f19323a2ba25f1d5d179e7681c2796dd460ee40547fd49f63ea5acffbb3
Opcode Fuzzy Hash: 1b6a7176494b52c713fbef10a0528a86e90abcbc0a3888b84c69bf9441db2cd7
Instruction Fuzzy Hash: 06A15CB1204205AFD700EF54C8A1EABB7E8FF95318F00495EF15597292EB71ED09CB56

Function 004D4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004D4AD0), ref: 004D4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004D4B57

Strings

GetNativeSystemInfo, xrefs: 004D4B51
kernel32.dll, xrefs: 004D4B40

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: eec5c3ab341ea2891a66d9c248f2b58ed82d9f562ec98b13b1f18159cf015113
Instruction ID: 896a163447ba82feb9bd6e6f993d99aca8f53bf4a489366627ee17308301f07c
Opcode Fuzzy Hash: eec5c3ab341ea2891a66d9c248f2b58ed82d9f562ec98b13b1f18159cf015113
Instruction Fuzzy Hash: 00D01234A10713CFD7209F31D838B0677D4AF55352B11883B98C5D6650E674E484C758

Function 0054EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0054EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0054EE4B

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

Process32NextW.KERNEL32(00000000,?), ref: 0054EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0054EF1A

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 92c28807a95e9473f4adf664e02074181089b7f99f2bfe204bb3a7951e9e7dbb
Instruction ID: 4af2d37669d0a3b281b15f83b9467989e052921cb022c8d79851f2d41b507090
Opcode Fuzzy Hash: 92c28807a95e9473f4adf664e02074181089b7f99f2bfe204bb3a7951e9e7dbb
Instruction Fuzzy Hash: FD519271504701AFD310EF25CC96EABBBE8FF94714F00481EF595972A1EB309908CB96

Function 0052E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0052E628

Strings

|, xrefs: 0052E658
(, xrefs: 0052E66E

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: c351bd3b5b80a1427705de439d798d60f6770a785dc833aa2f588e2598cf1fb1
Instruction ID: 8451bdacca8834392c32a5097549464556f064be8b62ee45a22f1d4ec8dede0d
Opcode Fuzzy Hash: c351bd3b5b80a1427705de439d798d60f6770a785dc833aa2f588e2598cf1fb1
Instruction Fuzzy Hash: 73323575A007159FDB28CF19D48196ABBF0FF49320B15C46EE89ADB3A1E770E941CB44

Function 005422EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0054180A,00000000), ref: 005423E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00542418

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f248f1d18ce728c03c4358c2f8dba8bebe8dcbd2775072d2089fa7414bda307e
Instruction ID: f39eb0e87d9862a403e7847831c85c7e91690cf4c52e8da43aa3087fd1d6c2a4
Opcode Fuzzy Hash: f248f1d18ce728c03c4358c2f8dba8bebe8dcbd2775072d2089fa7414bda307e
Instruction Fuzzy Hash: 5441F371904219BFEF109E95DC85EFBBBBCFB80318F50446EF601A7141EAB49E41A660

Function 0053B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0053B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0053B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0053B3EA

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 3179c310f643f6fe15148b7b2f6ee7dd4aedd976a43248b9d571a6c3cdd7817e
Instruction ID: 9fbf3d74ecbe5222dee2337ce8701c64003cbf13ba843c4fe42377b59253ec34
Opcode Fuzzy Hash: 3179c310f643f6fe15148b7b2f6ee7dd4aedd976a43248b9d571a6c3cdd7817e
Instruction Fuzzy Hash: CB218E35A00618EFCB00EFA5D894AEDBBB8FF49314F1480AAF905EB351CB319919DB50

Function 005287E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 004F0DB6: std::exception::exception.LIBCMT ref: 004F0DEC
Part of subcall function 004F0DB6: __CxxThrowException@8.LIBCMT ref: 004F0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0052882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00528858
GetLastError.KERNEL32 ref: 00528865

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 9e92c3b311d4405787e3d45ed6b65fdb8e13a5558e927fd56f60fcf697f6135c
Instruction ID: 4180f72948ff2908d5fa8c523abd863ff8d2969ae957bce7d246c3bbe2d26725
Opcode Fuzzy Hash: 9e92c3b311d4405787e3d45ed6b65fdb8e13a5558e927fd56f60fcf697f6135c
Instruction Fuzzy Hash: 211190B1404304AFE718DF94EC85D3BBBA8FF45311B24852EE45683291EB30BC008B60

Function 0052874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00528774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0052878B
FreeSid.ADVAPI32(?), ref: 0052879B

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e4d06c681fd84cf5caef6519dd6ce44d98d22785fdf314121231adae0b81a47e
Instruction ID: f8a19416a1ce25c526bc54aed23321eb2dbf009d4de220d892438870d27ad127
Opcode Fuzzy Hash: e4d06c681fd84cf5caef6519dd6ce44d98d22785fdf314121231adae0b81a47e
Instruction Fuzzy Hash: F4F04975A1130CFFDF00DFF4DC99ABEBBBCEF08211F1044A9A902E2191E6716A089B50

Function 00538889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0053889B

Part of subcall function 004F520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00538F6E,00000000,?,?,?,?,0053911F,00000000,?), ref: 004F5213
Part of subcall function 004F520A: __aulldiv.LIBCMT ref: 004F5233

Strings

0eY, xrefs: 00538892

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eY
API String ID: 2893107130-3507964464
Opcode ID: 8792124dd9a3e533dc837c19b452147ffc805d1fe57294ab8bf11c03b7ff8588
Instruction ID: a53d13b144111131b6606058cd5cbb457fe242388868278f5fcec56cdecd81f9
Opcode Fuzzy Hash: 8792124dd9a3e533dc837c19b452147ffc805d1fe57294ab8bf11c03b7ff8588
Instruction Fuzzy Hash: BF21E132635610CBC729CF29D841A62B7E1EFA4310F698E6DE1F5CB2D0CA34B909DB54

Function 0053C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0053C6FB
FindClose.KERNEL32(00000000), ref: 0053C72B

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e6da357880f7c7b4784d70813e93a57bc90c4075d501d5e5386b16fdaea482cd
Instruction ID: 8baf11231ce2421f8be9cc5f2da0cd8583dc41cc17e9fe7c758d0c7a4c063142
Opcode Fuzzy Hash: e6da357880f7c7b4784d70813e93a57bc90c4075d501d5e5386b16fdaea482cd
Instruction Fuzzy Hash: 271182716102009FDB10EF29D85592AFBE8FF85325F00851EF9A5D7390DB34AC05DB81

Function 0053A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00549468,?,0055FB84,?), ref: 0053A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00549468,?,0055FB84,?), ref: 0053A0A9

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 29d49ea9df928fa722e99e07a5f21944916efc440b503ca2e05ac4f714b0c61e
Instruction ID: 2b16d749c3595c2c888039953eb8d465e992593269969546cdf238c74c426b3d
Opcode Fuzzy Hash: 29d49ea9df928fa722e99e07a5f21944916efc440b503ca2e05ac4f714b0c61e
Instruction Fuzzy Hash: B8F0823510532DABDB21AFA4DC4CFEE776DBF08361F004566F949D7181D6309944CBA1

Function 005281CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00528309), ref: 005281E0
CloseHandle.KERNEL32(?,?,00528309), ref: 005281F2

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1ab3300805c9b23cce19fda15e11bee29c6485be0d7f53901c418794b405f823
Instruction ID: d24544f6f47fd8e3ae7b24ac828983f2d4602868023bd1852dc869d14432fdad
Opcode Fuzzy Hash: 1ab3300805c9b23cce19fda15e11bee29c6485be0d7f53901c418794b405f823
Instruction Fuzzy Hash: 9EE0E671011610AFE7252B61FC09D777BE9EF44315714882DF556844B1DB615C91DB14

Function 004FA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,004F8D57,?,?,?,00000001), ref: 004FA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004FA163

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8b72ea6ce877054fd1ff77fe3620a68b0ac76a872a862f5b8aae97dfc1cfed8d
Instruction ID: 4f33a46c683b237008834b538df4c633df9cf91f23f878cf8910c323fc354805
Opcode Fuzzy Hash: 8b72ea6ce877054fd1ff77fe3620a68b0ac76a872a862f5b8aae97dfc1cfed8d
Instruction Fuzzy Hash: 83B09231054308ABEA002F91ED19B893F68EB54AA3F414420F60D84070CB625454AB91

Function 004FF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eee55c6cd72792dd0c6ba16013bc92b5042b8a598fa0ff61b3e7b047186b7bc
Instruction ID: 29193ee35c76af544d76d3571449e85bb29b9dc8f118134c99b9bba313d4e226
Opcode Fuzzy Hash: 5eee55c6cd72792dd0c6ba16013bc92b5042b8a598fa0ff61b3e7b047186b7bc
Instruction Fuzzy Hash: 07322561D29F494ED7239638C832336A248AFB73C8F15D737F819B6AA5EF68C4875104

Function 0050242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6befcec6ee9f55fbd5af51cfda1a8932fcbda21b89ac08dbac4a23f2fc68a74
Instruction ID: 46170e0cac4638b13daf21b81fc108bdc09eba26452f9e59ac6e425d36449830
Opcode Fuzzy Hash: b6befcec6ee9f55fbd5af51cfda1a8932fcbda21b89ac08dbac4a23f2fc68a74
Instruction Fuzzy Hash: ACB13020E2AF404DD72396388835336BA4CBFBB2C5F51D71BFC2675E62EB6284835241

Function 00534C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00534C76

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 5c97ce9f959689346d6c7c76414239f8fa8717cc969d9b7de4fb47f6626b174e
Instruction ID: cd402d909c154defb74be5edb8a37f9c606e9a9531d1e9eb4aa6aea5553ea989
Opcode Fuzzy Hash: 5c97ce9f959689346d6c7c76414239f8fa8717cc969d9b7de4fb47f6626b174e
Instruction Fuzzy Hash: 1BD09EA416261D79EE2807209E5FFBA1B09F3C0791F9CA54A7241951C1E8FC7C44ED35

Function 005287B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00528389), ref: 005287D1

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: a6bf655c88c7e79060cae58aed0755a25c8bbacb2dc69070855f494a41e4a01d
Instruction ID: 54caa73214cea5002e193ee400b1c2cd60060058391c5103f184ab010cd4a97c
Opcode Fuzzy Hash: a6bf655c88c7e79060cae58aed0755a25c8bbacb2dc69070855f494a41e4a01d
Instruction Fuzzy Hash: C7D05E3226060EABEF018EA4DC05EAE3B69EB04B01F408111FE16C50A1C775D835AB60

Function 004FA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 004FA12A

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8b605e6ee39d01139791ce73648486fb6180ef5d2e17ff14415e2ad717e04948
Instruction ID: c417afb7f27798bb95c944d9a106e5793adfbdd79a5f80d6c5b46307993590d7
Opcode Fuzzy Hash: 8b605e6ee39d01139791ce73648486fb6180ef5d2e17ff14415e2ad717e04948
Instruction Fuzzy Hash: C6A0113000020CAB8A002F82EC08888BFACEA002A2B008020F80C800328B32A820AA80

Function 004E8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e357bc18f653edd991e042588d10a7246a24f5f8b310963d43859852d6a37a
Instruction ID: 8a5cc241442868b62a756a13619b6b14db63884ddfa805be643fb5576aec318f
Opcode Fuzzy Hash: 83e357bc18f653edd991e042588d10a7246a24f5f8b310963d43859852d6a37a
Instruction Fuzzy Hash: 422259309045A2CBDF288B66E49437D7BA1FF02305F28846FD84A9B6D3EB789D91C745

Function 004F21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 7fa196b142404b8aa211e40e656c7c255604b3df898d6881591083b8c65529a5
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 22C1F6322050974ADF2D463AC53403FFBA15EA27B131A036FD9B3CB2D4EE28D925D624

Function 004F25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: ef2671e4406b0201d0232f977193f7bba3e3d5848bcd1e33b687d043344608e1
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 93C1E1322050A74ADF2D463AC53403FFBA15EA27B131A036FD5B3DB2D4EE68D925D624

Function 004F1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: f67406e556b480efd459f89f9094397a7cd05c454c2c475254dc2eeae5b34562
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: FCC1A33220519789DF2D463AC47403FBBB15EA27B131A076FD5B3CB2E4EE28D925D624

Function 017EE6B8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147174968.00000000017EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17eb000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: ae2958f11e8faff0eb9ef824a6c92a20b3f2c355d8aa366383544fedad40ddd9
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 4F41C171D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB80

Function 017EE548 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147174968.00000000017EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17eb000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: d22f2fa41345bccf4bdb64895ab61b5785db7d804b7716b480ec9deb78ea656b
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 29019278A10209EFCB44DF98C5949AEF7F5FB4C310F208999E819A7345EB30AE41DB80

Function 017EE5A8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147174968.00000000017EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17eb000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 594fa03065744a5c38c46f2b8374131ab3ab0624501b73787e3d1b98a40dec0e
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: CF019278A00109EFCB44DF98C5949AEF7F5FB4C310F208999E819A7345EB30AE51DB80

Function 017ECEF8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147174968.00000000017EB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017EB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17eb000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00547806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0054785B
DeleteObject.GDI32(00000000), ref: 0054786D
DestroyWindow.USER32 ref: 0054787B
GetDesktopWindow.USER32 ref: 00547895
GetWindowRect.USER32(00000000), ref: 0054789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 005479DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 005479ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00547A35
GetClientRect.USER32(00000000,?), ref: 00547A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00547A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00547A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00547AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00547ABB
GlobalLock.KERNEL32(00000000), ref: 00547AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00547AD3
GlobalUnlock.KERNEL32(00000000), ref: 00547ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00547AE3
GlobalFree.KERNEL32(00000000), ref: 00547AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00547B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00562CAC,00000000), ref: 00547B16
GlobalFree.KERNEL32(00000000), ref: 00547B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00547B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00547B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00547B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00547D7A

Strings

AutoIt v3, xrefs: 00547A2D
static, xrefs: 00547A75, 00547BCC
, xrefs: 00547D00
DISPLAY, xrefs: 00547BDD

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d3908bcb41aea88d972bad7ca96d8762f41cc643cb67d5a8d3a3ca2968ad13e8
Instruction ID: 6fce2367e96b5af8ae32fd8f1696b6be6447520d5002b02c73cb79af8ee432a5
Opcode Fuzzy Hash: d3908bcb41aea88d972bad7ca96d8762f41cc643cb67d5a8d3a3ca2968ad13e8
Instruction Fuzzy Hash: 66026975900209AFDF14DFA4DC99EAE7BB9FB48315F00815AF905AB2A1DB30AD05DB60

Function 0055356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0055F910), ref: 00553627
IsWindowVisible.USER32(?), ref: 0055364B

Strings

HIDEDROPDOWN, xrefs: 00553700
SELECTSTRING, xrefs: 00553806
UNCHECK, xrefs: 00553883
ISENABLED, xrefs: 0055366B
GETCURRENTLINE, xrefs: 005538ED
TABRIGHT, xrefs: 0055369D
EDITPASTE, xrefs: 0055395F
ISVISIBLE, xrefs: 00553637
SENDCOMMANDID, xrefs: 005539DA
FINDSTRING, xrefs: 00553776
GETCURRENTCOL, xrefs: 00553928
TABLEFT, xrefs: 00553687
CURRENTTAB, xrefs: 005536BD
GETLINECOUNT, xrefs: 005538C6
SETCURRENTSELECTION, xrefs: 005537B6
ISCHECKED, xrefs: 00553839
GETLINE, xrefs: 0055399B
GETCURRENTSELECTION, xrefs: 005537E3
GETSELECTED, xrefs: 005538A3
ADDSTRING, xrefs: 00553716
SHOWDROPDOWN, xrefs: 005536E0
DELSTRING, xrefs: 00553749
CHECK, xrefs: 0055386D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: ff467dd659d32473fa555ab7e8b52ee129fd0b3a12467cc2c9db9d9c36fc63e0
Instruction ID: 45531a12d5f08539aaee2ca84e737f800a3196f12c67726540166e4d5d4b2e95
Opcode Fuzzy Hash: ff467dd659d32473fa555ab7e8b52ee129fd0b3a12467cc2c9db9d9c36fc63e0
Instruction Fuzzy Hash: 20D16C706042019BCB04EF11C565A7E7FE1BF95385F14485EFC8AAB3A2DB25EE0ACB45

Function 0055A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0055A630
GetSysColorBrush.USER32(0000000F), ref: 0055A661
GetSysColor.USER32(0000000F), ref: 0055A66D
SetBkColor.GDI32(?,000000FF), ref: 0055A687
SelectObject.GDI32(?,00000000), ref: 0055A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0055A6C1
GetSysColor.USER32(00000010), ref: 0055A6C9
CreateSolidBrush.GDI32(00000000), ref: 0055A6D0
FrameRect.USER32(?,?,00000000), ref: 0055A6DF
DeleteObject.GDI32(00000000), ref: 0055A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0055A731
FillRect.USER32(?,?,00000000), ref: 0055A763
GetWindowLongW.USER32(?,000000F0), ref: 0055A78E

Part of subcall function 0055A8CA: GetSysColor.USER32(00000012), ref: 0055A903
Part of subcall function 0055A8CA: SetTextColor.GDI32(?,?), ref: 0055A907
Part of subcall function 0055A8CA: GetSysColorBrush.USER32(0000000F), ref: 0055A91D
Part of subcall function 0055A8CA: GetSysColor.USER32(0000000F), ref: 0055A928
Part of subcall function 0055A8CA: GetSysColor.USER32(00000011), ref: 0055A945
Part of subcall function 0055A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0055A953
Part of subcall function 0055A8CA: SelectObject.GDI32(?,00000000), ref: 0055A964
Part of subcall function 0055A8CA: SetBkColor.GDI32(?,00000000), ref: 0055A96D
Part of subcall function 0055A8CA: SelectObject.GDI32(?,?), ref: 0055A97A
Part of subcall function 0055A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0055A999
Part of subcall function 0055A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0055A9B0
Part of subcall function 0055A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0055A9C5
Part of subcall function 0055A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0055A9ED

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: bb2c9c04dc4ba7e94240d3e9b94368dfcb841af62cc5e5cc35e52f33e229ced0
Instruction ID: b27f3e338a778342fe297e241a2f107fe97f09ffe7535169c212036d65bf5b3e
Opcode Fuzzy Hash: bb2c9c04dc4ba7e94240d3e9b94368dfcb841af62cc5e5cc35e52f33e229ced0
Instruction Fuzzy Hash: 32918C72408301FFCB119F64DC18A5BBBA9FF88322F140B2AF962961E1D731D948DB52

Function 005474AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 005474DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0054759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 005475DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 005475ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00547633
GetClientRect.USER32(00000000,?), ref: 0054763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00547683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00547692
GetStockObject.GDI32(00000011), ref: 005476A2
SelectObject.GDI32(00000000,00000000), ref: 005476A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 005476B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005476BF
DeleteDC.GDI32(00000000), ref: 005476C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005476F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0054770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00547746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0054775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0054776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0054779B
GetStockObject.GDI32(00000011), ref: 005477A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005477B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 005477BB

Strings

AutoIt v3, xrefs: 0054762B
msctls_progress32, xrefs: 0054773C
static, xrefs: 0054767D, 00547795
DISPLAY, xrefs: 00547688

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9dfb125c32ef590980c3f2f3029ac63f950d79e3950e5ca2f7208fd12bdf5178
Instruction ID: 20d6b1a7e295aafaeff5b70ca9fa1b85fac3eba33a04612dd9f7598f930a91f8
Opcode Fuzzy Hash: 9dfb125c32ef590980c3f2f3029ac63f950d79e3950e5ca2f7208fd12bdf5178
Instruction Fuzzy Hash: 69A19F71A00609BFEB10DBA4DC5AFAE7BB9EB18715F004116FA15EB2E0D770AD04DB64

Function 0053AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0053AD1E
GetDriveTypeW.KERNEL32(?,0055FAC0,?,\\.\,0055F910), ref: 0053ADFB
SetErrorMode.KERNEL32(00000000,0055FAC0,?,\\.\,0055F910), ref: 0053AF59

Strings

Removable, xrefs: 0053AE4D
Fibre, xrefs: 0053AEE9
CDROM, xrefs: 0053AE2F
USB, xrefs: 0053AEF0
SAS, xrefs: 0053AF05
Network, xrefs: 0053AE39
Virtual, xrefs: 0053AF21
RAID, xrefs: 0053AEF7
ATA, xrefs: 0053AED4
\\.\, xrefs: 0053AD70
iSCSI, xrefs: 0053AEFE
1394, xrefs: 0053AEDB
Fixed, xrefs: 0053AE43
PhysicalDrive, xrefs: 0053ADA7
SATA, xrefs: 0053AF0C
MMC, xrefs: 0053AF1A
SSA, xrefs: 0053AEE2
SCSI, xrefs: 0053AEC6
SSD, xrefs: 0053AE86
RAMDisk, xrefs: 0053AE25
Unknown, xrefs: 0053AE1B, 0053AEBF
ATAPI, xrefs: 0053AECD
FileBackedVirtual, xrefs: 0053AF28

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a90215a634cc2c7b29b146e614dcc2f39b1bcf1ef708166c7338bd8ab908d8b2
Instruction ID: 0a3331b42adb60941ba804772897cd5c5e802e5e2dde93579c4efa555c1cf5f9
Opcode Fuzzy Hash: a90215a634cc2c7b29b146e614dcc2f39b1bcf1ef708166c7338bd8ab908d8b2
Instruction Fuzzy Hash: E751A1B8644205ABCB14EB20C992CBD7FA1FF48715F60495BE887B72D1EA319D01EB43

Function 004D68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 004D6931
__wcsnicmp.LIBCMT ref: 004D6949
__wcsnicmp.LIBCMT ref: 004D6961
__wcsnicmp.LIBCMT ref: 004D6979
__wcsnicmp.LIBCMT ref: 004D6991
__wcsnicmp.LIBCMT ref: 004D69A9
__wcsnicmp.LIBCMT ref: 004D69C1
__wcsnicmp.LIBCMT ref: 004D69D5
__wcsnicmp.LIBCMT ref: 004D6A16
__wcsnicmp.LIBCMT ref: 004D6A2A
__wcsnicmp.LIBCMT ref: 004D6A3E
__wcsnicmp.LIBCMT ref: 004D6A52

Strings

Unterminated group of comments, xrefs: 0050E403
#include-once, xrefs: 004D698B
Cannot parse #include, xrefs: 0050E3F0
#cs, xrefs: 004D69CF, 004D6A24
Bad directive syntax error, xrefs: 0050E31A
#comments-end, xrefs: 004D6A38
#OnAutoItStartRegister, xrefs: 004D6973
#requireadmin, xrefs: 004D695B
#comments-start, xrefs: 004D69BB, 004D6A10
#pragma compile, xrefs: 004D692B
#notrayicon, xrefs: 004D6943
#ce, xrefs: 004D6A4C
#include, xrefs: 004D69A3

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 9d8d4b020fc9f67e2f0d324190147cf8f4760089987fa0f1032f821d450c5769
Instruction ID: 4b31849d1da529d208ccdfeaaaa1111b91b04fe2cade62c633b8f2effae0c0f2
Opcode Fuzzy Hash: 9d8d4b020fc9f67e2f0d324190147cf8f4760089987fa0f1032f821d450c5769
Instruction Fuzzy Hash: 8B8127B1600209AACB20AE61DC63FBF3BA8BF05744F14442BFD456B3D2EB68D905C659

Function 00559A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00559AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00559B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00559BA7

Strings

0, xrefs: 00559BE4

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 86a99a120242a6dfa444d23094983bd89cc3ba73ea0dbffad041c0accade2ecf
Instruction ID: 47a4b5df5a0b3a6b10971cfa8673fe9b6aafcfd94e23c9bd68631e229410aa72
Opcode Fuzzy Hash: 86a99a120242a6dfa444d23094983bd89cc3ba73ea0dbffad041c0accade2ecf
Instruction Fuzzy Hash: EC02EE70104301EFD725CF24C869BAABFE4FF88316F04492EF999962A1C738D948DB52

Function 0055A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0055A903
SetTextColor.GDI32(?,?), ref: 0055A907
GetSysColorBrush.USER32(0000000F), ref: 0055A91D
GetSysColor.USER32(0000000F), ref: 0055A928
CreateSolidBrush.GDI32(?), ref: 0055A92D
GetSysColor.USER32(00000011), ref: 0055A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0055A953
SelectObject.GDI32(?,00000000), ref: 0055A964
SetBkColor.GDI32(?,00000000), ref: 0055A96D
SelectObject.GDI32(?,?), ref: 0055A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0055A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0055A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0055A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0055A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0055AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0055AA32
DrawFocusRect.USER32(?,?), ref: 0055AA3D
GetSysColor.USER32(00000011), ref: 0055AA4B
SetTextColor.GDI32(?,00000000), ref: 0055AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0055AA67
SelectObject.GDI32(?,0055A5FA), ref: 0055AA7E
DeleteObject.GDI32(?), ref: 0055AA89
SelectObject.GDI32(?,?), ref: 0055AA8F
DeleteObject.GDI32(?), ref: 0055AA94
SetTextColor.GDI32(?,?), ref: 0055AA9A
SetBkColor.GDI32(?,?), ref: 0055AAA4

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c33d26bfb3abdbf09907d50e4b6901b7938f7ab515a4d91772a78da9bf79d042
Instruction ID: 01ad323d14aafd59432d540d0238f896bf089ee28abcc46e64f770a6e0459949
Opcode Fuzzy Hash: c33d26bfb3abdbf09907d50e4b6901b7938f7ab515a4d91772a78da9bf79d042
Instruction Fuzzy Hash: BA514B71900218EFDF109FA4DC58EAEBBB9FF08322F114626F911AB2A1D7719944DF90

Function 005589D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00558AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00558AD2
CharNextW.USER32(0000014E), ref: 00558B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00558B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00558B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00558B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00558B86
SetWindowTextW.USER32(?,0000014E), ref: 00558BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00558BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00558C1F
_memset.LIBCMT ref: 00558C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00558C8D
_memset.LIBCMT ref: 00558CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00558D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00558D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00558E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00558E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00558E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00558EB4
DrawMenuBar.USER32(?), ref: 00558EC3
SetWindowTextW.USER32(?,0000014E), ref: 00558EEB

Strings

0, xrefs: 00558E55

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 83e03393881c53958c3ab3bab9ac1ede5acc5d40bee52cfada366b0696492946
Instruction ID: 66cd5555446f9b49fd91a1a9b25fed798419c79d679a91204235c3ac8d8c39d4
Opcode Fuzzy Hash: 83e03393881c53958c3ab3bab9ac1ede5acc5d40bee52cfada366b0696492946
Instruction Fuzzy Hash: E0E15D70901208EADB209F55CC94AFE7FB9FF09721F10815BFD15AA291DB749A88DF60

Function 0055488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005549CA
GetDesktopWindow.USER32 ref: 005549DF
GetWindowRect.USER32(00000000), ref: 005549E6
GetWindowLongW.USER32(?,000000F0), ref: 00554A48
DestroyWindow.USER32(?), ref: 00554A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00554A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00554ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00554AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00554AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00554B09
IsWindowVisible.USER32(?), ref: 00554B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00554B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00554B58
GetWindowRect.USER32(?,?), ref: 00554B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00554B96
GetMonitorInfoW.USER32(00000000,?), ref: 00554BB0
CopyRect.USER32(?,?), ref: 00554BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00554C32

Strings

tooltips_class32, xrefs: 00554A96
0, xrefs: 00554975
(, xrefs: 00554BA3

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6bb8d59417bcb9e259db71f05919dffdb63c34655f89174a5ec5a65f69af7536
Instruction ID: 53d095c2d9440bd5f8317a511c8d99919122c47ac13498b0ff121f80be5ffdb2
Opcode Fuzzy Hash: 6bb8d59417bcb9e259db71f05919dffdb63c34655f89174a5ec5a65f69af7536
Instruction Fuzzy Hash: 21B1AA70604340AFDB04DF65C868B6ABBE5BF88319F00891EF8999B2A1D770EC48CF55

Function 0053449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 005344AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005344D2
_wcscpy.LIBCMT ref: 00534500
_wcscmp.LIBCMT ref: 0053450B
_wcscat.LIBCMT ref: 00534521
_wcsstr.LIBCMT ref: 0053452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00534548
_wcscat.LIBCMT ref: 00534591
_wcscat.LIBCMT ref: 00534598
_wcsncpy.LIBCMT ref: 005345C3

Strings

DefaultLangCodepage, xrefs: 005345AB
\VarFileInfo\Translation, xrefs: 00534540
StringFileInfo\, xrefs: 0053451B
04090000, xrefs: 0053457E
%u.%u.%u.%u, xrefs: 00534626

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 443aca2b536f08ee6985fffe989f0192ad541dba204950e382e22878683b5f51
Instruction ID: 4a9f69c999dc35e84a905bc654dd91216407164d7cf7d26cc32a9515d7303e91
Opcode Fuzzy Hash: 443aca2b536f08ee6985fffe989f0192ad541dba204950e382e22878683b5f51
Instruction Fuzzy Hash: 9841E8719402047BDB11AA76CC47EBF7B6CEF45714F04046FFA04E6182EB78A9019BA9

Function 004D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004D28BC
GetSystemMetrics.USER32(00000007), ref: 004D28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004D28EF
GetSystemMetrics.USER32(00000008), ref: 004D28F7
GetSystemMetrics.USER32(00000004), ref: 004D291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004D2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004D2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004D297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004D2990
GetClientRect.USER32(00000000,000000FF), ref: 004D29AE
GetStockObject.GDI32(00000011), ref: 004D29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 004D29D5

Part of subcall function 004D2344: GetCursorPos.USER32(?), ref: 004D2357
Part of subcall function 004D2344: ScreenToClient.USER32(005957B0,?), ref: 004D2374
Part of subcall function 004D2344: GetAsyncKeyState.USER32(00000001), ref: 004D2399
Part of subcall function 004D2344: GetAsyncKeyState.USER32(00000002), ref: 004D23A7

SetTimer.USER32(00000000,00000000,00000028,004D1256), ref: 004D29FC

Strings

AutoIt v3 GUI, xrefs: 004D2974

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f9940ee1c4bd64efd589064f8c1432a51cf64608b4db03f458f8bb5524a7b02d
Instruction ID: d7edd878a821fa5596a5e05e4186c8ae0a6f6f268f83b6dd64ae6dc8f795f1d0
Opcode Fuzzy Hash: f9940ee1c4bd64efd589064f8c1432a51cf64608b4db03f458f8bb5524a7b02d
Instruction Fuzzy Hash: F0B19F7160020AEFDB15DFA8CD69BAE7BB4FB18311F10422AFA15A73D0DB749811DB54

Function 0052A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0052A47A
__swprintf.LIBCMT ref: 0052A51B
_wcscmp.LIBCMT ref: 0052A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0052A583
_wcscmp.LIBCMT ref: 0052A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0052A5F6
GetDlgCtrlID.USER32(?), ref: 0052A648
GetWindowRect.USER32(?,?), ref: 0052A67E
GetParent.USER32(?), ref: 0052A69C
ScreenToClient.USER32(00000000), ref: 0052A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0052A71D
_wcscmp.LIBCMT ref: 0052A731
GetWindowTextW.USER32(?,?,00000400), ref: 0052A757
_wcscmp.LIBCMT ref: 0052A76B

Part of subcall function 004F362C: _iswctype.LIBCMT ref: 004F3634

Strings

%s%u, xrefs: 0052A515

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 840c1b9c6e2030bd29d2870dd48a9ac523543d4bd0a95b26075d45b8b6cb8cbc
Instruction ID: ebd365a1d487307307719e794876ce4a56e5feb01c01968a8ef1caa929d9df36
Opcode Fuzzy Hash: 840c1b9c6e2030bd29d2870dd48a9ac523543d4bd0a95b26075d45b8b6cb8cbc
Instruction Fuzzy Hash: 63A10371204726BFDB18DF60D884FAABBE8FF45305F04852AF999C2190DB30E945CB96

Function 0052AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0052AF18
_wcscmp.LIBCMT ref: 0052AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0052AF51
CharUpperBuffW.USER32(?,00000000), ref: 0052AF6E
_wcscmp.LIBCMT ref: 0052AF8C
_wcsstr.LIBCMT ref: 0052AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0052AFD5
_wcscmp.LIBCMT ref: 0052AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0052B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0052B055
_wcscmp.LIBCMT ref: 0052B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0052B08D
GetWindowRect.USER32(00000004,?), ref: 0052B0F6

Strings

ThumbnailClass, xrefs: 0052AFE0, 0052B060
@, xrefs: 0052AEF9

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: e05cd27a0b1a85e79a1728a71cfd62cadf1a84bb73783adef066bb6a01fd507a
Instruction ID: b40aa6fbd19764a2332dc0e529dff9b49e2de4f9acda9b7d08ee3236f8b5b6a4
Opcode Fuzzy Hash: e05cd27a0b1a85e79a1728a71cfd62cadf1a84bb73783adef066bb6a01fd507a
Instruction Fuzzy Hash: 4581DE710083199BEB01DF11E995BAA7BE8FF85318F04846AFD858A0D2DB38DD49CB61

Function 0055C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004D2612: GetWindowLongW.USER32(?,000000EB), ref: 004D2623

DragQueryPoint.SHELL32(?,?), ref: 0055C627

Part of subcall function 0055AB37: ClientToScreen.USER32(?,?), ref: 0055AB60
Part of subcall function 0055AB37: GetWindowRect.USER32(?,?), ref: 0055ABD6
Part of subcall function 0055AB37: PtInRect.USER32(?,?,0055C014), ref: 0055ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0055C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0055C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0055C6BE
_wcscat.LIBCMT ref: 0055C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0055C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0055C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0055C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0055C757
DragFinish.SHELL32(?), ref: 0055C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0055C851

Strings

@GUI_DROPID, xrefs: 0055C77E
@GUI_DRAGID, xrefs: 0055C7C9
@GUI_DRAGFILE, xrefs: 0055C800
pbY, xrefs: 0055C79B

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbY
API String ID: 169749273-2342304585
Opcode ID: d3020ef9de06fd187276c41bc162ff6e70386be486cc2b013e2e9ee720239e1f
Instruction ID: 243b747b27dd7f534b942c01612cf687c2f8c3d0e5fb03db37e0665f2454317f
Opcode Fuzzy Hash: d3020ef9de06fd187276c41bc162ff6e70386be486cc2b013e2e9ee720239e1f
Instruction Fuzzy Hash: E5615A71108301AFCB01EF65DCA5DABBFE8FF99754F00092EF591922A1DB709A09CB56

Function 0052ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0052AC33

Strings

ACTIVE, xrefs: 0052AC0E
ALL, xrefs: 0052ACC7
CLASSNAME=, xrefs: 0052AC70
HANDLE=, xrefs: 0052AC2C
[REGEXPTITLE:, xrefs: 0052AC5B
REGEXP=, xrefs: 0052AC48
[ALL, xrefs: 0052ACD9
[LAST, xrefs: 0052ACE0
[HANDLE:, xrefs: 0052AC3F
[ACTIVE, xrefs: 0052AC20
LAST, xrefs: 0052ABF8
[CLASS:, xrefs: 0052AC83

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: d2d5c884d735906d521233ee81d840475301ae1acbc0046eecf49edd14c0b087
Instruction ID: 3e3f004b94f5acd2c98b165a28236c533e8b00ae8aabba49cfa3d49675e94c99
Opcode Fuzzy Hash: d2d5c884d735906d521233ee81d840475301ae1acbc0046eecf49edd14c0b087
Instruction Fuzzy Hash: 8431C13064821DA7DA04FA61EE53EBE7FA4BF14B58F30041FB811711D2FE65AF048656

Function 00544FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00545013
LoadCursorW.USER32(00000000,00007F00), ref: 0054501E
LoadCursorW.USER32(00000000,00007F03), ref: 00545029
LoadCursorW.USER32(00000000,00007F8B), ref: 00545034
LoadCursorW.USER32(00000000,00007F01), ref: 0054503F
LoadCursorW.USER32(00000000,00007F81), ref: 0054504A
LoadCursorW.USER32(00000000,00007F88), ref: 00545055
LoadCursorW.USER32(00000000,00007F80), ref: 00545060
LoadCursorW.USER32(00000000,00007F86), ref: 0054506B
LoadCursorW.USER32(00000000,00007F83), ref: 00545076
LoadCursorW.USER32(00000000,00007F85), ref: 00545081
LoadCursorW.USER32(00000000,00007F82), ref: 0054508C
LoadCursorW.USER32(00000000,00007F84), ref: 00545097
LoadCursorW.USER32(00000000,00007F04), ref: 005450A2
LoadCursorW.USER32(00000000,00007F02), ref: 005450AD
LoadCursorW.USER32(00000000,00007F89), ref: 005450B8
GetCursorInfo.USER32(?), ref: 005450C8

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: b26d81c88851e3cc15255ce45dcab08db20faec716bfe115885da00b434bcdc8
Instruction ID: 02df92f205e8133a1693ee2e872983b0e74c8b18bc684f9b342b6384af6bee5c
Opcode Fuzzy Hash: b26d81c88851e3cc15255ce45dcab08db20faec716bfe115885da00b434bcdc8
Instruction Fuzzy Hash: 543103B1D083196ADF109FB68C8999EBFE8FB08754F50452AA50CE7281EA786504CF91

Function 0055A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0055A259
DestroyWindow.USER32(?,?), ref: 0055A2D3

Part of subcall function 004D7BCC: _memmove.LIBCMT ref: 004D7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0055A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0055A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0055A382
DestroyWindow.USER32(00000000), ref: 0055A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004D0000,00000000), ref: 0055A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0055A3F4
GetDesktopWindow.USER32 ref: 0055A40D
GetWindowRect.USER32(00000000), ref: 0055A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0055A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0055A444

Part of subcall function 004D25DB: GetWindowLongW.USER32(?,000000EB), ref: 004D25EC

Strings

tooltips_class32, xrefs: 0055A346, 0055A3D4
0, xrefs: 0055A26F

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 3e449e310551b1b61aa87e175f59d907aaaf85999b14872d4b2160d7910817dd
Instruction ID: ea8cffd2d9237bcb6a01309342b7d9526d19b20b002ad1b87ca21b5f6bad4b67
Opcode Fuzzy Hash: 3e449e310551b1b61aa87e175f59d907aaaf85999b14872d4b2160d7910817dd
Instruction Fuzzy Hash: 7A71AE70140304AFDB21CF68CC69F6A7BE5FB98305F144A1EF985872A0E775E90ADB52

Function 00554392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00554424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0055446F

Strings

EXPAND, xrefs: 00554521
EXISTS, xrefs: 005544D8
GETTEXT, xrefs: 005545C2
GETITEMCOUNT, xrefs: 00554551
UNCHECK, xrefs: 0055464B
ISCHECKED, xrefs: 005545F2
GETSELECTED, xrefs: 0055457F
COLLAPSE, xrefs: 005544B5
GETTOTALCOUNT, xrefs: 00554456
CHECK, xrefs: 0055448F
SELECT, xrefs: 00554620

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 948e64cea8ca7e2c8104fde0f152731f16d921194df741adea73f0fdeeab5470
Instruction ID: f5e1c833e60d427a01b5ed406b3fd550da6d2315d4aca88736f2be8ade8cc087
Opcode Fuzzy Hash: 948e64cea8ca7e2c8104fde0f152731f16d921194df741adea73f0fdeeab5470
Instruction Fuzzy Hash: B6917C706047019BCB04EF11C461A6EBBE1BF95758F04486EFC969B3A2DB34ED49CB85

Function 0055B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0055B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005591C2), ref: 0055B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0055B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0055B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0055B9C3
FreeLibrary.KERNEL32(?), ref: 0055B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0055B9DF
DestroyIcon.USER32(?,?,?,?,?,005591C2), ref: 0055B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0055BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0055BA17

Part of subcall function 004F2EFD: __wcsicmp_l.LIBCMT ref: 004F2F86

Strings

.dll, xrefs: 0055B86D
.exe, xrefs: 0055B84A
.icl, xrefs: 0055B82A

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 0b6498c11e92a4afd7bc5767302dd2b4bf47e1d3d8691f67659d75b7f3ba3656
Instruction ID: 0fb1674cf1b9bf17331e7c7e1f0a5da1a56fb136a39a2cedd8234b12b2e6e0e4
Opcode Fuzzy Hash: 0b6498c11e92a4afd7bc5767302dd2b4bf47e1d3d8691f67659d75b7f3ba3656
Instruction Fuzzy Hash: A161F071900209BAEB14DF64CC59FBE7BB8FB08712F10451AFE15D61C0DB74A988DBA0

Function 0053DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0053DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 0053DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0053DCF8
__wsplitpath.LIBCMT ref: 0053DD56
_wcscat.LIBCMT ref: 0053DD6E
_wcscat.LIBCMT ref: 0053DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0053DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 0053DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 0053DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 0053DDFC
_wcscpy.LIBCMT ref: 0053DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0053DE47

Strings

*.*, xrefs: 0053DE02

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: e91ad8ee813e1d583272543c2386850be9facf2c10af6fd57facf56413e88815
Instruction ID: c7ab4c432ee96fd0522f77fc4511bac7bcf7f14b55e20110cc1c2063079feb9f
Opcode Fuzzy Hash: e91ad8ee813e1d583272543c2386850be9facf2c10af6fd57facf56413e88815
Instruction Fuzzy Hash: 326157B25042059FCB10EF60D8549AEB7F8BF89314F04492EF989C7251DB35EE49CBA2

Function 00539C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00539C7F

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00539CA0
__swprintf.LIBCMT ref: 00539CF9
__swprintf.LIBCMT ref: 00539D12
_wprintf.LIBCMT ref: 00539DB9
_wprintf.LIBCMT ref: 00539DD7

Strings

^ ERROR , xrefs: 00539D4E
Incorrect parameters to object property !, xrefs: 00539D5B
Line %d (File "%s"):, xrefs: 00539CF3, 00539D0C
"%s" (%d) : ==> %s:, xrefs: 00539DD2
Error: , xrefs: 00539D81
"%s" (%d) : ==> %s:%s%s, xrefs: 00539DB4

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 20992e5894b6b897ac14e3428d3cca6ba55ce74969cf140f7e3f598720d5c2a4
Instruction ID: 152969c91098e9706ef807dccca173744a31adb7682d112e8d2f66ad711b8bb7
Opcode Fuzzy Hash: 20992e5894b6b897ac14e3428d3cca6ba55ce74969cf140f7e3f598720d5c2a4
Instruction Fuzzy Hash: DA51CE7190060AAACF14EBE1DD56EEEBB78FF14304F50046BB505721A2EF352E58DB64

Function 0053A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 004D9837: __itow.LIBCMT ref: 004D9862
Part of subcall function 004D9837: __swprintf.LIBCMT ref: 004D98AC

CharLowerBuffW.USER32(?,?), ref: 0053A3CB
GetDriveTypeW.KERNEL32 ref: 0053A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0053A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0053A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0053A4C5

Part of subcall function 004D7BCC: _memmove.LIBCMT ref: 004D7C06

Strings

set cd door , xrefs: 0053A466
close, xrefs: 0053A3D1
type cdaudio alias cd wait, xrefs: 0053A443
open , xrefs: 0053A427
wait, xrefs: 0053A482
open, xrefs: 0053A3F2
close cd wait, xrefs: 0053A4B0
closed, xrefs: 0053A3DF, 0053A3E8

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 522220c3eb1a2636de469d6a48639ae7f477aec865fc6c5deae19d96b09b354d
Instruction ID: e2524aa5632d9e93b8d75b864394eb89fa64132ce70b5b91c379274821c2aa32
Opcode Fuzzy Hash: 522220c3eb1a2636de469d6a48639ae7f477aec865fc6c5deae19d96b09b354d
Instruction Fuzzy Hash: C4515D715143059FC700EF21C9A186ABBE4FF94718F40886EF896A73A1DB35ED09CB56

Function 0052F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0050E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0052F8DF
LoadStringW.USER32(00000000,?,0050E029,00000001), ref: 0052F8E8

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0050E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0052F90A
LoadStringW.USER32(00000000,?,0050E029,00000001), ref: 0052F90D
__swprintf.LIBCMT ref: 0052F95D
__swprintf.LIBCMT ref: 0052F96E
_wprintf.LIBCMT ref: 0052FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0052FA2E

Strings

^ ERROR, xrefs: 0052F9C3
Line %d:, xrefs: 0052F968
%s (%d) : ==> %s: %s %s, xrefs: 0052FA12
Line %d (File "%s"):, xrefs: 0052F957
Error: , xrefs: 0052F9E5

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 05dfdf3f1dff6b70f3da1ccfbe7cf2552aca149fa69a38baa180bdeb0ba0f304
Instruction ID: 329cf9198d4b2950d55e4fd14b540df2a495d041bc1c9946a972fed26478f6cf
Opcode Fuzzy Hash: 05dfdf3f1dff6b70f3da1ccfbe7cf2552aca149fa69a38baa180bdeb0ba0f304
Instruction Fuzzy Hash: 03414D7290021DAACF04FBE1DDA6DEE7B78AF54304F50006BB605B2191EE356F49CB64

Function 0055BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00559207,?,?), ref: 0055BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00559207,?,?,00000000,?), ref: 0055BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00559207,?,?,00000000,?), ref: 0055BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00559207,?,?,00000000,?), ref: 0055BA85
GlobalLock.KERNEL32(00000000), ref: 0055BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00559207,?,?,00000000,?), ref: 0055BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0055BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00559207,?,?,00000000,?), ref: 0055BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00559207,?,?,00000000,?), ref: 0055BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00562CAC,?), ref: 0055BAD7
GlobalFree.KERNEL32(00000000), ref: 0055BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0055BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0055BB36
DeleteObject.GDI32(00000000), ref: 0055BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0055BB74

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: f14be5808fc5d066a847c9ac78b63b1aa72ad541850ef56f963c11c307f3b2db
Instruction ID: 29368d7d3763822e616315c1674f6eee5ece69d95ff0a47ca4ec635bfb52a7b0
Opcode Fuzzy Hash: f14be5808fc5d066a847c9ac78b63b1aa72ad541850ef56f963c11c307f3b2db
Instruction Fuzzy Hash: 66412775600208FFEB119F65DC98EABBBB8FB99722F104069F905D7260D7709E09DB60

Function 0053D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0053DA10
_wcscat.LIBCMT ref: 0053DA28
_wcscat.LIBCMT ref: 0053DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0053DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0053DA63
GetFileAttributesW.KERNEL32(?), ref: 0053DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0053DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0053DAA7

Strings

*.*, xrefs: 0053DAE6

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 8badf5db5ffdf91055a3c5c54a4baf0a3924511ff1d50a14e61d1262ba674767
Instruction ID: dd7e0d2ff6a009b245e07feb98973077ab1be35accb19a8ae0676708068a5a6e
Opcode Fuzzy Hash: 8badf5db5ffdf91055a3c5c54a4baf0a3924511ff1d50a14e61d1262ba674767
Instruction Fuzzy Hash: F281B2725043459FCB20EF65D854AAABBF8BF89714F184C2EF889C7251E634ED44CB62

Function 0055C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D2612: GetWindowLongW.USER32(?,000000EB), ref: 004D2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0055C1FC
GetFocus.USER32 ref: 0055C20C
GetDlgCtrlID.USER32(00000000), ref: 0055C217
_memset.LIBCMT ref: 0055C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0055C36D
GetMenuItemCount.USER32(?), ref: 0055C38D
GetMenuItemID.USER32(?,00000000), ref: 0055C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0055C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0055C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0055C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0055C489

Strings

0, xrefs: 0055C33A

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 6b685eb93dd45fd99a4b53e290431de9f68d83aeeaacb948c340c26b94020be5
Instruction ID: 5025151aefb7d38a430ce543da0d90d8dcac812029b426c4e57d45d7f5616884
Opcode Fuzzy Hash: 6b685eb93dd45fd99a4b53e290431de9f68d83aeeaacb948c340c26b94020be5
Instruction Fuzzy Hash: 90818B74208305AFDB11CF14C8A4A6BBFE8FB88756F10492EFD9597291D770D908DBA2

Function 0054731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0054738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0054739B
CreateCompatibleDC.GDI32(?), ref: 005473A7
SelectObject.GDI32(00000000,?), ref: 005473B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00547408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00547444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00547468
SelectObject.GDI32(00000006,?), ref: 00547470
DeleteObject.GDI32(?), ref: 00547479
DeleteDC.GDI32(00000006), ref: 00547480
ReleaseDC.USER32(00000000,?), ref: 0054748B

Strings

(, xrefs: 00547410

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 9166804eaee277550e9e784cb2196971ff230d77a40cc2146d3b83b1c00abb28
Instruction ID: 79291b7755185b69990ad635b84d8e6d184ba929713569bdded32475cda4d8bc
Opcode Fuzzy Hash: 9166804eaee277550e9e784cb2196971ff230d77a40cc2146d3b83b1c00abb28
Instruction Fuzzy Hash: 92512875904309EFCB14CFA9CC89EAEBBB9FF48310F14882DF95A97261C731A9449B50

Function 004D6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 004F0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,004D6B0C,?,00008000), ref: 004F0973

Part of subcall function 004D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004D4743,?,?,004D37AE,?), ref: 004D4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 004D6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 004D6CFA

Part of subcall function 004D586D: _wcscpy.LIBCMT ref: 004D58A5

Part of subcall function 004F363D: _iswctype.LIBCMT ref: 004F3645

Strings

Bad directive syntax error, xrefs: 0050E79D
Unterminated string, xrefs: 0050E7E4
EA06, xrefs: 0050E452
AU3!, xrefs: 004D6B61
Error opening the file, xrefs: 0050E43D, 0050E4B8
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0050E421
>>>AUTOIT SCRIPT<<<, xrefs: 0050E496

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 0190f3983ff5a51f3def081af881479b59531a0b904e8f6bed0950a869079855
Instruction ID: e256a175d862b083e57eb2679e2d613f17397681cc5eb353bff909e518c9a89e
Opcode Fuzzy Hash: 0190f3983ff5a51f3def081af881479b59531a0b904e8f6bed0950a869079855
Instruction Fuzzy Hash: 150288701083419FC724EF25D8A19AFBBE5BF95318F104C1EF485972A2DB34D949CB56

Function 00532D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00532D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00532DDD
GetMenuItemCount.USER32(00595890), ref: 00532E66
DeleteMenu.USER32(00595890,00000005,00000000,000000F5,?,?), ref: 00532EF6
DeleteMenu.USER32(00595890,00000004,00000000), ref: 00532EFE
DeleteMenu.USER32(00595890,00000006,00000000), ref: 00532F06
DeleteMenu.USER32(00595890,00000003,00000000), ref: 00532F0E
GetMenuItemCount.USER32(00595890), ref: 00532F16
SetMenuItemInfoW.USER32(00595890,00000004,00000000,00000030), ref: 00532F4C
GetCursorPos.USER32(?), ref: 00532F56
SetForegroundWindow.USER32(00000000), ref: 00532F5F
TrackPopupMenuEx.USER32(00595890,00000000,?,00000000,00000000,00000000), ref: 00532F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00532F7E

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: d5828fe7be2f3ff6f3d4001faf303acd8328fbbe6fa194be24d57c5ab9d78645
Instruction ID: 10f20daa9863e653944b37c5f1d77797ed5395c30365ff84b53685a7ae4e4522
Opcode Fuzzy Hash: d5828fe7be2f3ff6f3d4001faf303acd8328fbbe6fa194be24d57c5ab9d78645
Instruction Fuzzy Hash: E0713B70600B05BFEB219F55DC8AFAABF68FF44314F144216F625AA1E0C7716C14EB91

Function 005488AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005488D7
CoInitialize.OLE32(00000000), ref: 00548904
CoUninitialize.OLE32 ref: 0054890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00548A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00548B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00562C0C), ref: 00548B6F
CoGetObject.OLE32(?,00000000,00562C0C,?), ref: 00548B92
SetErrorMode.KERNEL32(00000000), ref: 00548BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00548C25
VariantClear.OLEAUT32(?), ref: 00548C35

Strings

,,V, xrefs: 005488C1

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,V
API String ID: 2395222682-1966078457
Opcode ID: 1fb94e72149200a9714e4331bdb2f2074fcb1d18be1ca393731ba45b7eed7f49
Instruction ID: 0607a9a2759108a8554fdfcc6697f0b3f681780bba6fac20d7186a2b2680b001
Opcode Fuzzy Hash: 1fb94e72149200a9714e4331bdb2f2074fcb1d18be1ca393731ba45b7eed7f49
Instruction Fuzzy Hash: D4C122B1608305AFC700EF69C88496BBBE9FF89748F00491DF98A9B251DB71ED05CB52

Function 005277DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004D7BCC: _memmove.LIBCMT ref: 004D7C06

_memset.LIBCMT ref: 0052786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005278A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005278BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005278D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00527902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0052792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00527935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0052793A

Strings

\CLSID, xrefs: 00527822
\IPC$, xrefs: 00527882
SOFTWARE\Classes\, xrefs: 0052780C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 79607dbdcfa317e36e271fa2d25e3ad8863fc96a9898a14cca008bb0af205892
Instruction ID: 7501940fd8e99fa0bc23eed565c5c72d095b08106c60c7f5c879ede9b24e58e0
Opcode Fuzzy Hash: 79607dbdcfa317e36e271fa2d25e3ad8863fc96a9898a14cca008bb0af205892
Instruction Fuzzy Hash: A3410C72C1422DABCF11EBA5DCA5DEDBB78FF18714F04406AE905A32A1EB349D04CB94

Function 00550E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0054FDAD,?,?), ref: 00550E31

Strings

HKEY_CURRENT_CONFIG, xrefs: 00550EEE
HKCR, xrefs: 00550ED9
HKU, xrefs: 00550F43
HKEY_LOCAL_MACHINE, xrefs: 00550E9A
HKLM, xrefs: 00550EAF
HKEY_USERS, xrefs: 00550F32
HKEY_CURRENT_USER, xrefs: 00550F10
HKCC, xrefs: 00550EFF
HKEY_CLASSES_ROOT, xrefs: 00550EC4
HKCU, xrefs: 00550F21

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 310fc946400a6d98450e3682f254e01a9a7c8b78b667b3e20857ac3ec943bcfb
Instruction ID: 980d467d428399650da47feab00abc0af3659e6bbb5fa00d563375c84870ebe2
Opcode Fuzzy Hash: 310fc946400a6d98450e3682f254e01a9a7c8b78b667b3e20857ac3ec943bcfb
Instruction Fuzzy Hash: 69414D3150024A8BCF10EF11D976AFE3BA4BF61319F14145AFD552B292DB349D5ECB60

Function 0052F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0050E2A0,00000010,?,Bad directive syntax error,0055F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0052F7C2
LoadStringW.USER32(00000000,?,0050E2A0,00000010), ref: 0052F7C9

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

_wprintf.LIBCMT ref: 0052F7FC
__swprintf.LIBCMT ref: 0052F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0052F88D

Strings

Error: , xrefs: 0052F85B
., xrefs: 0052F873
Line %d:, xrefs: 0052F818
Line %d (File "%s"):, xrefs: 0052F833
%s (%d) : ==> %s.: %s %s, xrefs: 0052F7F7

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: ba3c87cbab43c225f9770da67351ef2fc95d72450dc4e9725c4f2902c790abe6
Instruction ID: 0b44de59155eca26401e86c73a4fd40f988c5eb9e5b8a221d3f82b3764af5884
Opcode Fuzzy Hash: ba3c87cbab43c225f9770da67351ef2fc95d72450dc4e9725c4f2902c790abe6
Instruction Fuzzy Hash: 34216F3290021EAFCF11EF91DC6AEFE7B39FF14705F04046BB505661A1EA359618DB54

Function 005352C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 004D7BCC: _memmove.LIBCMT ref: 004D7C06

Part of subcall function 004D7924: _memmove.LIBCMT ref: 004D79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00535330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00535346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00535357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00535369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0053537A

Strings

status PlayMe mode, xrefs: 0053532B
play PlayMe, xrefs: 00535375
open , xrefs: 005352DF
play PlayMe wait, xrefs: 00535364
close PlayMe, xrefs: 00535341, 0053536E
alias PlayMe, xrefs: 00535309

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 7aadecbc4a334def7e26938cd6131ebe456614efa2d958c27315b03ff9079489
Instruction ID: 8be40b4138ebe82fac5e76acd64db91d7b8bc3da111fe1511f566cf9488030f9
Opcode Fuzzy Hash: 7aadecbc4a334def7e26938cd6131ebe456614efa2d958c27315b03ff9079489
Instruction Fuzzy Hash: D5118661A9012979D720BA76CC59DFF7F7CFB95B44F40085B7811E21D1FEA11D04C664

Function 005346B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005346D2
gethostname.WSOCK32(?,00000100), ref: 005346EC
gethostbyname.WSOCK32(?), ref: 005346F9
_wcscpy.LIBCMT ref: 00534721
_memmove.LIBCMT ref: 00534734
inet_ntoa.WSOCK32(?), ref: 0053473F
_strcat.LIBCMT ref: 0053474D
_wcscpy.LIBCMT ref: 00534764
WSACleanup.WSOCK32 ref: 00534772
_wcscpy.LIBCMT ref: 00534780

Strings

0.0.0.0, xrefs: 0053471B

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: dbe82631185195997ab5aff38680bcc4a6d6284c8538dbea7b68bac68ddd0926
Instruction ID: 9ee6f1e099e9aa5ecc44eab4a10a0bd056df7ee46d63c534bb6b8f46fafcca85
Opcode Fuzzy Hash: dbe82631185195997ab5aff38680bcc4a6d6284c8538dbea7b68bac68ddd0926
Instruction Fuzzy Hash: 431105315002186BCB14AB309C4AEFB7BBCFF52316F0001BAF54592091FF7599868B50

Function 00534F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00534F7A

Part of subcall function 004F049F: timeGetTime.WINMM(?,7694B400,004E0E7B), ref: 004F04A3

Sleep.KERNEL32(0000000A), ref: 00534FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00534FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00534FEC
SetActiveWindow.USER32 ref: 0053500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00535019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00535038
Sleep.KERNEL32(000000FA), ref: 00535043
IsWindow.USER32 ref: 0053504F
EndDialog.USER32(00000000), ref: 00535060

Strings

BUTTON, xrefs: 00534FDE

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b6ccf8f1a30566db67dc7501fccf695a6043bdc0268487b114abd9ccde88ea3a
Instruction ID: 25d015812aa548a0ec65c0cf156a6ebb1d08a03194266aab1e6a00b65efdd7e7
Opcode Fuzzy Hash: b6ccf8f1a30566db67dc7501fccf695a6043bdc0268487b114abd9ccde88ea3a
Instruction Fuzzy Hash: 5F21A174200705AFE7115F20ED9DA2A3FA9FB66746F4B1025F102822B1FB729D1CEB61

Function 0053D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 004D9837: __itow.LIBCMT ref: 004D9862
Part of subcall function 004D9837: __swprintf.LIBCMT ref: 004D98AC

CoInitialize.OLE32(00000000), ref: 0053D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0053D67D
SHGetDesktopFolder.SHELL32(?), ref: 0053D691
CoCreateInstance.OLE32(00562D7C,00000000,00000001,00588C1C,?), ref: 0053D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0053D74C
CoTaskMemFree.OLE32(?,?), ref: 0053D7A4
_memset.LIBCMT ref: 0053D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0053D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0053D840
CoTaskMemFree.OLE32(00000000), ref: 0053D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0053D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0053D880

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: ddd5633ee417f626bfdf3cbb60be5d1f1a02fc62586dc1e752a2b23ec66499e6
Instruction ID: 1884df1a9042a1679bbe9e9d90220b2ea0c3c98cef90eef89f90165c94482032
Opcode Fuzzy Hash: ddd5633ee417f626bfdf3cbb60be5d1f1a02fc62586dc1e752a2b23ec66499e6
Instruction Fuzzy Hash: 02B10B75A00209AFDB04DFA5D898DAEBBB9FF48304F148469F909EB261DB30ED45CB50

Function 0052C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0052C283
GetWindowRect.USER32(00000000,?), ref: 0052C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0052C2F3
GetDlgItem.USER32(?,00000002), ref: 0052C2FE
GetWindowRect.USER32(00000000,?), ref: 0052C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0052C364
GetDlgItem.USER32(?,000003E9), ref: 0052C372
GetWindowRect.USER32(00000000,?), ref: 0052C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0052C3C6
GetDlgItem.USER32(?,000003EA), ref: 0052C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0052C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0052C3FE

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9d052ede564fc8d64b3a43393fc8e1c403ea050dbd43b94895a2d56328397279
Instruction ID: 1be50158e2bf2bce91a08ce6a741565420a2a101f1960b3ac9bfc3d4a77d2b05
Opcode Fuzzy Hash: 9d052ede564fc8d64b3a43393fc8e1c403ea050dbd43b94895a2d56328397279
Instruction Fuzzy Hash: 10517D71B00205ABDB08CFA8DD99AAEBFBAFF98311F148529F505D7291D770AD048B10

Function 004D201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004D2036,?,00000000,?,?,?,?,004D16CB,00000000,?), ref: 004D1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004D20D3
KillTimer.USER32(-00000001,?,?,?,?,004D16CB,00000000,?,?,004D1AE2,?,?), ref: 004D216E
DestroyAcceleratorTable.USER32(00000000), ref: 0050BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004D16CB,00000000,?,?,004D1AE2,?,?), ref: 0050BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004D16CB,00000000,?,?,004D1AE2,?,?), ref: 0050BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004D16CB,00000000,?,?,004D1AE2,?,?), ref: 0050BD0A
DeleteObject.GDI32(00000000), ref: 0050BD1C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: cb1a0b5226189dfdea3ac65d310aaa88b46185db731133f43e854ed04c47ae5e
Instruction ID: abd379b569eea95146885580b84a26de639819dd79bb5512dc09333e43a49011
Opcode Fuzzy Hash: cb1a0b5226189dfdea3ac65d310aaa88b46185db731133f43e854ed04c47ae5e
Instruction Fuzzy Hash: CF619131110B01DFDB369F14DAA8B2ABBF1FB60316F20842BE542466B0D7B8A855EB55

Function 004D21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004D25DB: GetWindowLongW.USER32(?,000000EB), ref: 004D25EC

GetSysColor.USER32(0000000F), ref: 004D21D3

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: dda3b0ea4905f87b5ddf5f9f294053e6a0ddbd2a2864be038cd436c32bf9fc65
Instruction ID: a68ada6f89f4e8a95e8861d4df0a1e5221de9056035e2233435ce5b9f86ada25
Opcode Fuzzy Hash: dda3b0ea4905f87b5ddf5f9f294053e6a0ddbd2a2864be038cd436c32bf9fc65
Instruction Fuzzy Hash: BE41C331004640EBDB215F68DDA8BBA3B65EB26331F1442A7FD658A2E1C7758C42DB25

Function 0053A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0055F910), ref: 0053A90B
GetDriveTypeW.KERNEL32(00000061,005889A0,00000061), ref: 0053A9D5
_wcscpy.LIBCMT ref: 0053A9FF

Strings

fixed, xrefs: 0053A953
removable, xrefs: 0053A93D
all, xrefs: 0053A911
unknown, xrefs: 0053A996
network, xrefs: 0053A969
cdrom, xrefs: 0053A927
ramdisk, xrefs: 0053A97F

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 5674528f1e652c041a084fc5452d570c6bba248ef96f7e65734d5c854b3f2324
Instruction ID: c16814452a866324ab16f4f18d9e042e095c8ff20fbadf148d4d7eb88120f629
Opcode Fuzzy Hash: 5674528f1e652c041a084fc5452d570c6bba248ef96f7e65734d5c854b3f2324
Instruction Fuzzy Hash: 0E519F325183019BC700EF15C9A2A6FBBA5FF94708F54482EF995A72A2DB319D09CB53

Function 004D9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 004D9862
__swprintf.LIBCMT ref: 004D98AC
__i64tow.LIBCMT ref: 0050F5E6

Strings

True, xrefs: 0050F5A7
%.15g, xrefs: 004D98A6
0x%p, xrefs: 0050F5C8
False, xrefs: 0050F5AE

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: cdd40a403e5e7f5a0405c3217736a0db87a14eac784a8ffa3d73a32f9b53afa7
Instruction ID: e5ad3194e418d9b2d5421f90314ba5b9725a13399a1cf9ded8eac811dcb7f965
Opcode Fuzzy Hash: cdd40a403e5e7f5a0405c3217736a0db87a14eac784a8ffa3d73a32f9b53afa7
Instruction Fuzzy Hash: 37410171610209AEEB24EF35DC52A7A7BE8FF45704F20086FE549D7382EA399D029B15

Function 00557152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0055716A
CreateMenu.USER32 ref: 00557185
SetMenu.USER32(?,00000000), ref: 00557194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00557221
IsMenu.USER32(?), ref: 00557237
CreatePopupMenu.USER32 ref: 00557241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0055726E
DrawMenuBar.USER32 ref: 00557276

Strings

F, xrefs: 00557262
0, xrefs: 00557160

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 41a486998eafe2e7ae58a2139a33666a00775be173909c484d120fb4137dabcf
Instruction ID: fb1cacbc40e093aa1960ddadd503e9a29722db73f76698295078cde1e92408c3
Opcode Fuzzy Hash: 41a486998eafe2e7ae58a2139a33666a00775be173909c484d120fb4137dabcf
Instruction Fuzzy Hash: 0B417978A01309EFDB10DF64E994E9A7BB5FF18341F14402AFD0597361E731A918DB90

Function 005574BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0055755E
CreateCompatibleDC.GDI32(00000000), ref: 00557565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00557578
SelectObject.GDI32(00000000,00000000), ref: 00557580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0055758B
DeleteDC.GDI32(00000000), ref: 00557594
GetWindowLongW.USER32(?,000000EC), ref: 0055759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 005575B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 005575BE

Strings

static, xrefs: 005574F6

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: e00bd841378b761eaa08dcaf1e8a4c3702163e2f4e271ed4641188d83ea74e76
Instruction ID: 492568f0ebca458a220ce2d8b6124faa93124e6936218dc16b1cafb828eb39ac
Opcode Fuzzy Hash: e00bd841378b761eaa08dcaf1e8a4c3702163e2f4e271ed4641188d83ea74e76
Instruction Fuzzy Hash: E8317C31105219ABDF129F64EC18FDB3F69FF1D322F110226FA15920A0E731E819EB64

Function 004F6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004F6E3E

Part of subcall function 004F8B28: __getptd_noexit.LIBCMT ref: 004F8B28

__gmtime64_s.LIBCMT ref: 004F6ED7
__gmtime64_s.LIBCMT ref: 004F6F0D
__gmtime64_s.LIBCMT ref: 004F6F2A
__allrem.LIBCMT ref: 004F6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004F6F9C
__allrem.LIBCMT ref: 004F6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004F6FD1
__allrem.LIBCMT ref: 004F6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004F7006
__invoke_watson.LIBCMT ref: 004F7077

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 800ccf2ec4de997d8dc5e791f01aa18461354f46189d887229180a15befbd309
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 7571D276A0071BABD714AE69DC41B7BB7A8FF44324F14422BF614D72C1EB78DA008B94

Function 00532527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00532542
GetMenuItemInfoW.USER32(00595890,000000FF,00000000,00000030), ref: 005325A3
SetMenuItemInfoW.USER32(00595890,00000004,00000000,00000030), ref: 005325D9
Sleep.KERNEL32(000001F4), ref: 005325EB
GetMenuItemCount.USER32(?), ref: 0053262F
GetMenuItemID.USER32(?,00000000), ref: 0053264B
GetMenuItemID.USER32(?,-00000001), ref: 00532675
GetMenuItemID.USER32(?,?), ref: 005326BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00532700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00532714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00532735

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: cfb8ede4ff60dcc65bfa64ebdf1b75f497c9f5d4f37004700fa2364180b45718
Instruction ID: 4097878ddae36b09de9dc2f1935965ec2617c813044ee9a255d52ec0f64fe3b4
Opcode Fuzzy Hash: cfb8ede4ff60dcc65bfa64ebdf1b75f497c9f5d4f37004700fa2364180b45718
Instruction Fuzzy Hash: 42618C70900A49AFDF12CFA4DC99DAE7FB8FB41304F140459E842A7251EB31AE19DB21

Function 00556F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00556FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00556FA8
GetWindowLongW.USER32(?,000000F0), ref: 00556FCC
_memset.LIBCMT ref: 00556FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00556FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00557067

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: f8a234e0f9c636bc53ff99f13e58574f024ff651dd27f27ca6c84246379e4b83
Instruction ID: 68797840810d754ee46f88acbcbcbbf3fcee68295926034e9d1cc7b8c21f5015
Opcode Fuzzy Hash: f8a234e0f9c636bc53ff99f13e58574f024ff651dd27f27ca6c84246379e4b83
Instruction Fuzzy Hash: B3616A75900208AFDB11DFA4DC95EEE7BF8FB08710F10015AFA14AB2A1D771AE59DB90

Function 00526B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00526BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00526C18
VariantInit.OLEAUT32(?), ref: 00526C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00526C4A
VariantCopy.OLEAUT32(?,?), ref: 00526C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00526CB1
VariantClear.OLEAUT32(?), ref: 00526CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00526CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00526CDC
VariantClear.OLEAUT32(?), ref: 00526CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00526CF9

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bef94c7c7863865142e5b9e04baef1d41427bc8ddfc54c915fee2b7d35f68ca5
Instruction ID: 31797019d23ec7d7524a9301d119a9f17fcafd2d765ff1b9e813478292bbe610
Opcode Fuzzy Hash: bef94c7c7863865142e5b9e04baef1d41427bc8ddfc54c915fee2b7d35f68ca5
Instruction Fuzzy Hash: 10417275A00229DFCF00EFA4D8589AEBFB9FF58355F008069E955E7261CB30AD49DB90

Function 005483BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 004D9837: __itow.LIBCMT ref: 004D9862
Part of subcall function 004D9837: __swprintf.LIBCMT ref: 004D98AC

CoInitialize.OLE32 ref: 00548403
CoUninitialize.OLE32 ref: 0054840E
CoCreateInstance.OLE32(?,00000000,00000017,00562BEC,?), ref: 0054846E
IIDFromString.OLE32(?,?), ref: 005484E1
VariantInit.OLEAUT32(?), ref: 0054857B
VariantClear.OLEAUT32(?), ref: 005485DC

Strings

Failed to create object, xrefs: 00548479, 0054852F
Invalid parameter, xrefs: 005484FA
NULL Pointer assignment, xrefs: 005484B3

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 07bbb18d8229855bc5bb98383aefb08f4422e438a4e28656262b728fba03c309
Instruction ID: 1705ed4db3fe3bdecbb7dfba9355db0d675076f5c9f77b9e4aa7539432c05b19
Opcode Fuzzy Hash: 07bbb18d8229855bc5bb98383aefb08f4422e438a4e28656262b728fba03c309
Instruction Fuzzy Hash: 5D618F70608712AFCB10DF14C849BAEBBE4BF49758F04485EF9859B291CB70ED48DB92

Function 00545732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00545793
inet_addr.WSOCK32(?,?,?), ref: 005457D8
gethostbyname.WSOCK32(?), ref: 005457E4
IcmpCreateFile.IPHLPAPI ref: 005457F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00545862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00545878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 005458ED
WSACleanup.WSOCK32 ref: 005458F3

Strings

Ping, xrefs: 00545816

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 9620a813df38f41ddb51a754c7b737344563f8ade7b62efe9a455a683c946997
Instruction ID: a990ac485405250eeceb3ae5178bac1ec80fa09a733119551ec3edf4bede0ef2
Opcode Fuzzy Hash: 9620a813df38f41ddb51a754c7b737344563f8ade7b62efe9a455a683c946997
Instruction Fuzzy Hash: 26518D316047009FDB10AF25DC59B6ABBE4FF48728F14492AF956DB2A2EB70ED04DB41

Function 0053B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0053B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0053B546
GetLastError.KERNEL32 ref: 0053B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0053B5BD

Strings

NOTREADY, xrefs: 0053B57C
READY, xrefs: 0053B596
INVALID, xrefs: 0053B58F
UNKNOWN, xrefs: 0053B575
READONLY, xrefs: 0053B588

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: bf0a07c6d04c95a5b8dbba100af20df232099e97596901ee8929ddd14d60978c
Instruction ID: 51f8b5722bd15f90946b79b10ac2aaf7d20ca82a402f7cd982a260bd259e2a10
Opcode Fuzzy Hash: bf0a07c6d04c95a5b8dbba100af20df232099e97596901ee8929ddd14d60978c
Instruction Fuzzy Hash: C831A175A00205AFEB00EB68C895ABDBFB4FF45315F50406BEA02E7291EB709A01CB51

Function 00528F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

Part of subcall function 0052AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0052AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00529014
GetDlgCtrlID.USER32 ref: 0052901F
GetParent.USER32 ref: 0052903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0052903E
GetDlgCtrlID.USER32(?), ref: 00529047
GetParent.USER32(?), ref: 00529063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00529066

Strings

ComboBox, xrefs: 00528F9C
ListBox, xrefs: 00528FD1

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: e65762a62bcbfa5fde7ca078309957e92567e3f50dca2298e35f16c69fc00574
Instruction ID: afe21b3f99f5d0169c66fd4dcc5d8ac627d11a60ecd47fab573d92dbddf91d00
Opcode Fuzzy Hash: e65762a62bcbfa5fde7ca078309957e92567e3f50dca2298e35f16c69fc00574
Instruction Fuzzy Hash: 8D21F874A00208BBDF04ABA4DC99EFEBBB5FF5A310F10015AF961972E1DB755819DB20

Function 0052907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

Part of subcall function 0052AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0052AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005290FD
GetDlgCtrlID.USER32 ref: 00529108
GetParent.USER32 ref: 00529124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00529127
GetDlgCtrlID.USER32(?), ref: 00529130
GetParent.USER32(?), ref: 0052914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0052914F

Strings

ComboBox, xrefs: 00529087
ListBox, xrefs: 005290BC

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 6b21350ba0bb5e124397f96069a5ddeef09579a6bb10fd2b8523e2fc777dc0df
Instruction ID: c56916d6bc3eba23a473fe0e9370b5fefeed49c730c4026e305900c23607cfae
Opcode Fuzzy Hash: 6b21350ba0bb5e124397f96069a5ddeef09579a6bb10fd2b8523e2fc777dc0df
Instruction Fuzzy Hash: 2021F574A00209BBDF00ABA5DC99EFEBBB4FF59300F10001AB951973E1DB798819DB20

Function 00529163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0052916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00529184
_wcscmp.LIBCMT ref: 00529196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00529211

Strings

list, xrefs: 005291F3
largeicons, xrefs: 005291A5
details, xrefs: 005291BF
SHELLDLL_DefView, xrefs: 00529190
smallicons, xrefs: 005291D9

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 148ef9b34c754fc3a5fedab43437720bfc47f7833e6eb33b0f1cfaeee5dbbbf1
Instruction ID: ef1517e2e52200c2fd5a9fbbe3fb3ba36600b8fe934876e935003c0fe3e8f026
Opcode Fuzzy Hash: 148ef9b34c754fc3a5fedab43437720bfc47f7833e6eb33b0f1cfaeee5dbbbf1
Instruction Fuzzy Hash: B511E73A24831BB9EA113625FC1ADB73F9CBF16720F30042AFE10A51D2FEA598515694

Function 00537990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00537A6C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 45bbaba08bc14114b2b43464a79e34b72e4c3ed47a2991df80237498d820842b
Instruction ID: 280248acaf1aa4f71d0cceb05d5711f0cc46d29696e01615b2d0c361ae023526
Opcode Fuzzy Hash: 45bbaba08bc14114b2b43464a79e34b72e4c3ed47a2991df80237498d820842b
Instruction Fuzzy Hash: 47B16AB1D0421E9FDB20DFA4C895BBEBBB4FF49321F244429E601A7251D734AD41DB90

Function 004DFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004DFAA6
OleUninitialize.OLE32(?,00000000), ref: 004DFB45
UnregisterHotKey.USER32(?), ref: 004DFC9C
DestroyWindow.USER32(?), ref: 005145D6
FreeLibrary.KERNEL32(?), ref: 0051463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00514668

Strings

close all, xrefs: 004DFAA1

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2ecec130326e0e48f80817f3d0c5ae5a2e10215e3d24abf7e55a9978a9d5f96b
Instruction ID: c80481be7080d5114ab3a951adc04f04a22691be4e4de5029aa73fdc4c74302b
Opcode Fuzzy Hash: 2ecec130326e0e48f80817f3d0c5ae5a2e10215e3d24abf7e55a9978a9d5f96b
Instruction Fuzzy Hash: D3A18F70701212CFDB28EF15C5A4A69F764BF15708F1542AFE80AAB362DB34AC5ACF54

Function 00549113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00549167
VariantInit.OLEAUT32(?), ref: 00549238
VariantInit.OLEAUT32(?), ref: 00549339
VariantClear.OLEAUT32(?), ref: 00549343
VariantClear.OLEAUT32(?), ref: 005493A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0054931C
Null Object assignment in FOR..IN loop, xrefs: 005491C8, 005492F6, 005493AE
,,V, xrefs: 005491E5

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,V$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-3152972400
Opcode ID: aa0bb44bef15d3757aa4c0f30ab134518afa72f93e203c4790c3538de775f869
Instruction ID: eba1c52022e72e0828763f93713d77057b3b768af7edd85eb994777a60a34c44
Opcode Fuzzy Hash: aa0bb44bef15d3757aa4c0f30ab134518afa72f93e203c4790c3538de775f869
Instruction Fuzzy Hash: E6918F71A00219ABDF24DFA5C84AFEFBBB8FF45718F108559F915AB280D7709905CBA0

Function 0052A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0052A439), ref: 0052A377

Strings

NAME, xrefs: 0052A1A9
INSTANCE, xrefs: 0052A285
CLASS, xrefs: 0052A0F6
TEXT, xrefs: 0052A2AE
REGEXPCLASS, xrefs: 0052A13C
CLASSNN, xrefs: 0052A119

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 3296477c1fd65d70f31a64d4793a4322eabd2555bbc85850794ab50cb69e54cd
Instruction ID: a19371685d05f5fc216c9acdf4a9e99695e03bd0304e64bb266e4ea8a3a48936
Opcode Fuzzy Hash: 3296477c1fd65d70f31a64d4793a4322eabd2555bbc85850794ab50cb69e54cd
Instruction Fuzzy Hash: 92911431A0061AEBCB08EFA1D451BEDFFB4BF55304F50851ED949A3282DF30A999CB95

Function 004D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004D2EAE

Part of subcall function 004D1DB3: GetClientRect.USER32(?,?), ref: 004D1DDC
Part of subcall function 004D1DB3: GetWindowRect.USER32(?,?), ref: 004D1E1D
Part of subcall function 004D1DB3: ScreenToClient.USER32(?,?), ref: 004D1E45

GetDC.USER32 ref: 0050CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0050CD45
SelectObject.GDI32(00000000,00000000), ref: 0050CD53
SelectObject.GDI32(00000000,00000000), ref: 0050CD68
ReleaseDC.USER32(?,00000000), ref: 0050CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0050CDFB

Strings

U, xrefs: 0050CCD0

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 74c58f6474fcc1b15da3b762d86a64496d05b3b0bd4b1eb78f8585224055df7a
Instruction ID: 78227cd44c7dd29a4200e85b26edd7421c5907e0af395266e72e212b4a1e4714
Opcode Fuzzy Hash: 74c58f6474fcc1b15da3b762d86a64496d05b3b0bd4b1eb78f8585224055df7a
Instruction Fuzzy Hash: 4B71DF31400245EFCF218F64C894AAE7FB5FF5A320F14436BED555A2A6D7309C55EB60

Function 00541A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00541A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00541A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00541ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00541AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00541AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00541B10
InternetCloseHandle.WININET(00000000), ref: 00541B57

Part of subcall function 00542483: GetLastError.KERNEL32(?,?,00541817,00000000,00000000,00000001), ref: 00542498
Part of subcall function 00542483: SetEvent.KERNEL32(?,?,00541817,00000000,00000000,00000001), ref: 005424AD

Strings

, xrefs: 00541B01

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: c8e55de59c813306203307f54581fcb8450c2fa06e1eec14c11dc92119651e15
Instruction ID: c3afad5bfebbfeb341652e44eb74e63854db48f695eb97b6919904d4c017ddac
Opcode Fuzzy Hash: c8e55de59c813306203307f54581fcb8450c2fa06e1eec14c11dc92119651e15
Instruction Fuzzy Hash: 16417BB1501619BFEB119F50CC89FFB7BACFF08359F00412AFA059A141E7709E849BA8

Function 00548C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0055F910), ref: 00548D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0055F910), ref: 00548D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00548ED6
SysFreeString.OLEAUT32(?), ref: 00548F00

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 3e1f3fa1c3b57b6d78c6b03619d5c57a264ad666c71a55a24fc4b625a873fd63
Instruction ID: 4845c262896b7438fe2dc4615d2920c5ac61eb5a07a4ec8572a123723d58e5ae
Opcode Fuzzy Hash: 3e1f3fa1c3b57b6d78c6b03619d5c57a264ad666c71a55a24fc4b625a873fd63
Instruction Fuzzy Hash: C3F10971A00209AFDF14DF94C888EEEBBB9FF45319F108499F915AB251DB31AE45CB50

Function 0054F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0054F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0054F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0054F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0054F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0054F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0054FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0054FA7C
CloseHandle.KERNEL32(?), ref: 0054FAAB
CloseHandle.KERNEL32(?), ref: 0054FB22

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 8621f8ec4463c418f114dc2ac719911ff95fbf9dd2b0efa5c1402d8077b90b19
Instruction ID: 07d486f70928b77c5c2cf2a9402497a63df1bdf913383598d0dfcb953cdfd986
Opcode Fuzzy Hash: 8621f8ec4463c418f114dc2ac719911ff95fbf9dd2b0efa5c1402d8077b90b19
Instruction Fuzzy Hash: 95E1B3316043419FD714EF29C495B6ABBE1FF85318F14896EF8859B2A2CB34EC45CB52

Function 00534CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0053466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00533697,?), ref: 0053468B

Part of subcall function 0053466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00533697,?), ref: 005346A4

Part of subcall function 00534A31: GetFileAttributesW.KERNEL32(?,0053370B), ref: 00534A32

lstrcmpiW.KERNEL32(?,?), ref: 00534D40
_wcscmp.LIBCMT ref: 00534D5A
MoveFileW.KERNEL32(?,?), ref: 00534D75

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 62bac537a11ee9d0377a28d91a4b98a90a8f41e86824a8425ef445eebcc8c7ed
Instruction ID: c86953fcd8c2a126d6096bc5a8ec331cdcd17e5fa6aa757e5e8c64bdf2346953
Opcode Fuzzy Hash: 62bac537a11ee9d0377a28d91a4b98a90a8f41e86824a8425ef445eebcc8c7ed
Instruction Fuzzy Hash: 355150B20083459BC725DBA4D8959EFB7ECAF84314F40092FB689D3151EF74B588CB6A

Function 00558645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005586FF

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 8645a8879da8e41f3a1ef882532c9787d0eb65c5c6774dba0caef1f784c0543d
Instruction ID: 5f8a06f432849c282c841f4d28efc37a54b3dc01c8e68d8cc867507447ff3d6f
Opcode Fuzzy Hash: 8645a8879da8e41f3a1ef882532c9787d0eb65c5c6774dba0caef1f784c0543d
Instruction Fuzzy Hash: 7751AF30610204BEEB209B258CA9FBD3FA4FB19316F604517FD51F62A1DF72A988DB41

Function 004D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0050C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0050C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0050C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0050C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0050C370
DestroyIcon.USER32(00000000), ref: 0050C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0050C39C
DestroyIcon.USER32(?), ref: 0050C3AB

Part of subcall function 0055A4AF: DeleteObject.GDI32(00000000), ref: 0055A4E8

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: abc2e92d2c3ce3143f08340b7dc92a9c8629380985bbc6ab6d5389ea4cdd7ba6
Instruction ID: b054487445453c6ce9c23231a0b9efb11c5cc68b8bd4816aa66bd668a36f4519
Opcode Fuzzy Hash: abc2e92d2c3ce3143f08340b7dc92a9c8629380985bbc6ab6d5389ea4cdd7ba6
Instruction Fuzzy Hash: 83517970A10205EFDB20DF64CD55BAE3BA5FB68311F10462AF902973E0D7B4AD91EB50

Function 0052966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0052A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0052A84C
Part of subcall function 0052A82C: GetCurrentThreadId.KERNEL32 ref: 0052A853
Part of subcall function 0052A82C: AttachThreadInput.USER32(00000000,?,00529683,?,00000001), ref: 0052A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0052968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005296AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 005296AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 005296B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005296D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005296D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 005296E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005296F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005296FB

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b4c059eb7ecb0e8f1a0c59f03332490ce152db6e0de5a0aea07fd656a6d23187
Instruction ID: 6d9c2570e56c83f3a364fe3dae6afac6a1750867c3a93b6c66385e4f5a318d2f
Opcode Fuzzy Hash: b4c059eb7ecb0e8f1a0c59f03332490ce152db6e0de5a0aea07fd656a6d23187
Instruction Fuzzy Hash: 7111CEB1910618BFF6106B60EC89F6A3E6DEF4D752F100425F244AB1E0C9F26C10EBA4

Function 00528921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0052853C,00000B00,?,?), ref: 0052892A
HeapAlloc.KERNEL32(00000000,?,0052853C,00000B00,?,?), ref: 00528931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0052853C,00000B00,?,?), ref: 00528946
GetCurrentProcess.KERNEL32(?,00000000,?,0052853C,00000B00,?,?), ref: 0052894E
DuplicateHandle.KERNEL32(00000000,?,0052853C,00000B00,?,?), ref: 00528951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0052853C,00000B00,?,?), ref: 00528961
GetCurrentProcess.KERNEL32(0052853C,00000000,?,0052853C,00000B00,?,?), ref: 00528969
DuplicateHandle.KERNEL32(00000000,?,0052853C,00000B00,?,?), ref: 0052896C
CreateThread.KERNEL32(00000000,00000000,00528992,00000000,00000000,00000000), ref: 00528986

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2394031f664858a88c13b5168cab6f7bb40178edfc59fa31447148f74ef4000d
Instruction ID: ed517880d9e46e15a84c7b43349e4277f436a1b5dc27699e4db15adb001ef996
Opcode Fuzzy Hash: 2394031f664858a88c13b5168cab6f7bb40178edfc59fa31447148f74ef4000d
Instruction Fuzzy Hash: B701BBB5240708FFE710ABA5DC4DF6B3BACEB99711F408421FA05DB1A1CA709804DB21

Function 00549B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00549B7B
NULL Pointer assignment, xrefs: 00549BA4, 00549EC8

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: a1f42b55668f7868230454869dbee132d72d2eaafd58bd44d4900e2a8e359743
Instruction ID: 18062b35554a7852fb70d9c437b93fe8e267a1e20d9c7effddf1708dd8a2fe9c
Opcode Fuzzy Hash: a1f42b55668f7868230454869dbee132d72d2eaafd58bd44d4900e2a8e359743
Instruction Fuzzy Hash: 3CC18571A0021A9FDF14DF58D885AEFBBF9FF88318F148469E905A7281E7709D45CB90

Function 0054975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0052710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00527044,80070057,?,?,?,00527455), ref: 00527127
Part of subcall function 0052710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00527044,80070057,?,?), ref: 00527142
Part of subcall function 0052710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00527044,80070057,?,?), ref: 00527150
Part of subcall function 0052710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00527044,80070057,?), ref: 00527160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00549806
_memset.LIBCMT ref: 00549813
_memset.LIBCMT ref: 00549956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00549982
CoTaskMemFree.OLE32(?), ref: 0054998D

Strings

NULL Pointer assignment, xrefs: 005499DB

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 056109c3db153203918e69ea5723bd1b2ddf7c1d55da684fce2757ac4e5072e7
Instruction ID: b37e092139e735ad5eee45b7aaf68789916196bd6f414377ea87968451a3e65a
Opcode Fuzzy Hash: 056109c3db153203918e69ea5723bd1b2ddf7c1d55da684fce2757ac4e5072e7
Instruction Fuzzy Hash: 24913771D00229EBDB10DFA5DC95EDEBBB9BF08314F20415AF419A7291EB719A44CFA0

Function 00556D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00556E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00556E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00556E52
_wcscat.LIBCMT ref: 00556EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00556EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00556EF2

Strings

SysListView32, xrefs: 00556DF6

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: acecb427133ba64f4a7b37c79a6926c2b7874f2205ddb171c93a36e1fda17e12
Instruction ID: 6040f0a73aa2f4871d766fe7abbc1c3ebdde880e89f1fee4c672474dbcbdfc0f
Opcode Fuzzy Hash: acecb427133ba64f4a7b37c79a6926c2b7874f2205ddb171c93a36e1fda17e12
Instruction Fuzzy Hash: A4419370A00349ABDB219FA4CC95BEF7BF8FF08351F50082AF944E7291D6719D888B60

Function 0054E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00533C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00533C7A
Part of subcall function 00533C55: Process32FirstW.KERNEL32(00000000,?), ref: 00533C88
Part of subcall function 00533C55: CloseHandle.KERNEL32(00000000), ref: 00533D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0054E9A4
GetLastError.KERNEL32 ref: 0054E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0054E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0054EA63
GetLastError.KERNEL32(00000000), ref: 0054EA6E
CloseHandle.KERNEL32(00000000), ref: 0054EAA3

Strings

SeDebugPrivilege, xrefs: 0054E9C2

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: aa4387210ddf6dc094bbb59a29529d7ae9cdb152c2edb0ae9f0534fcd9ee8188
Instruction ID: 0899f44a69e0e7ff2d29fa77ba21f9227053814de42dcd205904e75c6bdbf127
Opcode Fuzzy Hash: aa4387210ddf6dc094bbb59a29529d7ae9cdb152c2edb0ae9f0534fcd9ee8188
Instruction Fuzzy Hash: BF418B312002019FDB14EF55DCAAFADBBA5BF81718F04845AF9029B3D2CB75AC08DB95

Function 00532F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00533033

Strings

info, xrefs: 00532FD4
stop, xrefs: 00533004
question, xrefs: 00532FEC
blank, xrefs: 00532FB5
warning, xrefs: 0053301C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 1960e3a767317defc86280a438b5bc1d49342398fedafab4b5dfe84e7dc64e79
Instruction ID: bb219ef5c57d926bc0ae063041133abe612353101f959d554f3cd6b8b839fc52
Opcode Fuzzy Hash: 1960e3a767317defc86280a438b5bc1d49342398fedafab4b5dfe84e7dc64e79
Instruction Fuzzy Hash: 8F11E73174C74ABEE718AA95DC86D7B7F9CFF15364F20002AFA00A6181EBB55F4056A4

Function 005342F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00534312
LoadStringW.USER32(00000000), ref: 00534319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0053432F
LoadStringW.USER32(00000000), ref: 00534336
_wprintf.LIBCMT ref: 0053435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0053437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00534357

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: f0115806c13ab4cd49f37fdf3b10a12454fa00059747c3ab78e488775eb02fe1
Instruction ID: 14d3cba764d62874362b6b25a021a623e23aa881bce1d00724d280b463f5e0c4
Opcode Fuzzy Hash: f0115806c13ab4cd49f37fdf3b10a12454fa00059747c3ab78e488775eb02fe1
Instruction Fuzzy Hash: B50167F6900308BFD7119B90DD89EF7776CE708301F4005A5BB45E2051EA746E895B74

Function 0055D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D2612: GetWindowLongW.USER32(?,000000EB), ref: 004D2623

GetSystemMetrics.USER32(0000000F), ref: 0055D47C
GetSystemMetrics.USER32(0000000F), ref: 0055D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0055D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0055D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0055D716
ShowWindow.USER32(00000003,00000000), ref: 0055D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0055D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0055D77D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 223e9f46df5a6c21e705334e58473703e825c041f4b1d55e34d2da0e2110361a
Instruction ID: b571aee9a63dd8d4c69dfd8ad3d64cae4c6a5802c792dfcf56bcb35e845233e5
Opcode Fuzzy Hash: 223e9f46df5a6c21e705334e58473703e825c041f4b1d55e34d2da0e2110361a
Instruction Fuzzy Hash: 28B18C72500215EBDF24CF68C9A57AD7BB1FF48702F04806AED489F295E774A958CB60

Function 004D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0050C1C7,00000004,00000000,00000000,00000000), ref: 004D2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0050C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 004D2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0050C1C7,00000004,00000000,00000000,00000000), ref: 0050C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0050C1C7,00000004,00000000,00000000,00000000), ref: 0050C286

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0f7d7c3b6658e3db6366533f5806a13e65e2860a1d3b8b1bd808758b5b982755
Instruction ID: f204b07c5d573172e61562a4ced5ed02433dac2a75eec9601c31478ca65067c9
Opcode Fuzzy Hash: 0f7d7c3b6658e3db6366533f5806a13e65e2860a1d3b8b1bd808758b5b982755
Instruction Fuzzy Hash: 3D410A347047809ACB759B288EACB6F7F91FBB6300F54891FE047467A1C6F8A846E715

Function 005370C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005370DD

Part of subcall function 004F0DB6: std::exception::exception.LIBCMT ref: 004F0DEC
Part of subcall function 004F0DB6: __CxxThrowException@8.LIBCMT ref: 004F0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00537114
EnterCriticalSection.KERNEL32(?), ref: 00537130
_memmove.LIBCMT ref: 0053717E
_memmove.LIBCMT ref: 0053719B
LeaveCriticalSection.KERNEL32(?), ref: 005371AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005371BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 005371DE

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 89c2dde15aaba276341487fee1a314750e12b509328f90fd60b43acdf19308d3
Instruction ID: 054edfec8ef04b22ea9de5fbe6e6535caefc53e62c213068c90d4625ad2e44d7
Opcode Fuzzy Hash: 89c2dde15aaba276341487fee1a314750e12b509328f90fd60b43acdf19308d3
Instruction Fuzzy Hash: 1F317276900209EBCF10DFA5DC859AFBB78FF85310F1441A9EA04AB256DB349E14DB64

Function 005561D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005561EB
GetDC.USER32(00000000), ref: 005561F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005561FE
ReleaseDC.USER32(00000000,00000000), ref: 0055620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00556246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00556257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0055902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00556291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005562B1

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: f6010e20e1048e345901a6c88fab046d5035aea02554dcdeab8e99cd392188cf
Instruction ID: cc62e87b1fdf4d7d6ed3ea46b88bcec65e84b8ae103a3e8fd961cdeda2053880
Opcode Fuzzy Hash: f6010e20e1048e345901a6c88fab046d5035aea02554dcdeab8e99cd392188cf
Instruction Fuzzy Hash: FF318B76200210BFEB108F50CC9AFEB3FA9FF59766F040065FE089A2A1C6759845CB70

Function 0052BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0052BBC4
_memcmp.LIBCMT ref: 0052BBE6
_memcmp.LIBCMT ref: 0052BBFE
_memcmp.LIBCMT ref: 0052BC11
_memcmp.LIBCMT ref: 0052BC2B
_memcmp.LIBCMT ref: 0052BC3E
_memcmp.LIBCMT ref: 0052BC56
_memcmp.LIBCMT ref: 0052BC71

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 954481c4bbec387b6328a7950a401cec3dbb9cb52bb45683a7d0cd6a2501447b
Instruction ID: d439fb1c7962bb327f9133c2161e56a2e49ba3f72767fa302cf9fe165cb3a52d
Opcode Fuzzy Hash: 954481c4bbec387b6328a7950a401cec3dbb9cb52bb45683a7d0cd6a2501447b
Instruction Fuzzy Hash: 9A21D46160162BBBF6046612AD42FBB7F5CBE6235CF084425FE04A76C7EB28DE11C1A5

Function 0053EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 004D9837: __itow.LIBCMT ref: 004D9862
Part of subcall function 004D9837: __swprintf.LIBCMT ref: 004D98AC

Part of subcall function 004EFC86: _wcscpy.LIBCMT ref: 004EFCA9

_wcstok.LIBCMT ref: 0053EC94
_wcscpy.LIBCMT ref: 0053ED23
_memset.LIBCMT ref: 0053ED56

Strings

X, xrefs: 0053ED93

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: a7a48b89017a1556b7ee86685c3a870db8f4f5d149f9f07ccc558fff0df031e8
Instruction ID: d43eb8a813cf9554679331801b0ceb6eeeb62d6ef65ab4cb9081b8748c7203f9
Opcode Fuzzy Hash: a7a48b89017a1556b7ee86685c3a870db8f4f5d149f9f07ccc558fff0df031e8
Instruction Fuzzy Hash: 53C19F716083049FC714EF25C896A6ABBE4FF85314F00492EF8999B3A2DB74EC45CB46

Function 00546B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00546C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00546C21
WSAGetLastError.WSOCK32(00000000), ref: 00546C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00546CEA
inet_ntoa.WSOCK32(?), ref: 00546CA7

Part of subcall function 0052A7E9: _strlen.LIBCMT ref: 0052A7F3
Part of subcall function 0052A7E9: _memmove.LIBCMT ref: 0052A815

_strlen.LIBCMT ref: 00546D44
_memmove.LIBCMT ref: 00546DAD

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 60062e86835f8f164e4679206c29705a3096cf59494555bd60f47d782f8ff6b0
Instruction ID: dc2c83e612ceab98956cf59ead03ebecc325d015982fcb636787b9a4eaf9d5e2
Opcode Fuzzy Hash: 60062e86835f8f164e4679206c29705a3096cf59494555bd60f47d782f8ff6b0
Instruction Fuzzy Hash: 2081FF71604300ABC710EB25CCA6FAABBA8FF85718F10491EF9559B2D2DB34AD04CB56

Function 004D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063ea2833291f60fca1d5041fcba635c0fe07081503d2eca0707979fb55535cc
Instruction ID: dee06ed55e85454244741e54c4cede571d01588e5f9aa9c15e85c02c673110fb
Opcode Fuzzy Hash: 063ea2833291f60fca1d5041fcba635c0fe07081503d2eca0707979fb55535cc
Instruction Fuzzy Hash: 33716D30900109FFDB049F99CC98ABEBB79FF85314F14815AF915AB361C738AA51CB64

Function 0055B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01764B30), ref: 0055B3EB
IsWindowEnabled.USER32(01764B30), ref: 0055B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0055B4DB
SendMessageW.USER32(01764B30,000000B0,?,?), ref: 0055B512
IsDlgButtonChecked.USER32(?,?), ref: 0055B54F
GetWindowLongW.USER32(01764B30,000000EC), ref: 0055B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0055B589

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 5dc4a71dfd11df1ca2f343872fa44ae36332810f69f9b4e582e4b8c57d85d110
Instruction ID: 49527703239527ad966421d94cd976d99f2bb210d159205e35ce0adec1842e76
Opcode Fuzzy Hash: 5dc4a71dfd11df1ca2f343872fa44ae36332810f69f9b4e582e4b8c57d85d110
Instruction Fuzzy Hash: D0717B34600204EFEF219F55C8A8FAA7FBAFF19302F14445AED45972A2D732A958DB50

Function 0054F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0054F448
_memset.LIBCMT ref: 0054F511
ShellExecuteExW.SHELL32(?), ref: 0054F556

Part of subcall function 004D9837: __itow.LIBCMT ref: 004D9862
Part of subcall function 004D9837: __swprintf.LIBCMT ref: 004D98AC

Part of subcall function 004EFC86: _wcscpy.LIBCMT ref: 004EFCA9

GetProcessId.KERNEL32(00000000), ref: 0054F5CD
CloseHandle.KERNEL32(00000000), ref: 0054F5FC

Strings

@, xrefs: 0054F525

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: f441de9eaa43e7fb0ecc5e57711ef431eeba5efe2fc8d8eca93352786ac3c672
Instruction ID: 7e542d96c9bf1142f6435b761a213d343813fca908d66555aa0a706ce62e0ca6
Opcode Fuzzy Hash: f441de9eaa43e7fb0ecc5e57711ef431eeba5efe2fc8d8eca93352786ac3c672
Instruction Fuzzy Hash: 3361AD75A006199FCF14EFA9C4919AEBBF5FF48318F14806EE819AB351CB34AD41CB94

Function 00530F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00530F8C
GetKeyboardState.USER32(?), ref: 00530FA1
SetKeyboardState.USER32(?), ref: 00531002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00531030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0053104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00531095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 005310B8

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5f7a2ca754e3ac6f6f6d2cb3b7e32b4a1e41b1f16e200299674a9195b10d31d2
Instruction ID: bc37a3d73478d544c1c55a0f84d894a8989fb71bf1441a1d427308257590529c
Opcode Fuzzy Hash: 5f7a2ca754e3ac6f6f6d2cb3b7e32b4a1e41b1f16e200299674a9195b10d31d2
Instruction Fuzzy Hash: C051E5A0504BD53EFB3642348C19BB6BFA97B06304F088989F1D5868D3C2D9DCC8D755

Function 00530D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00530DA5
GetKeyboardState.USER32(?), ref: 00530DBA
SetKeyboardState.USER32(?), ref: 00530E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00530E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00530E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00530EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00530EC9

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 05348ac8d2c03c69e46ea0134421ecec5b56fc200f0c2416287452d2ca350d94
Instruction ID: a37c6c4f87699cc576deeeed2b52c22a7bf9e671363aaa8a739c6e3ad195bcdb
Opcode Fuzzy Hash: 05348ac8d2c03c69e46ea0134421ecec5b56fc200f0c2416287452d2ca350d94
Instruction Fuzzy Hash: 0051D3A06487D53DFB3683748C65B7ABFA97B06300F089889F1D54A8C2D395AC98E760

Function 005355FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0053560A
_wcsncpy.LIBCMT ref: 0053563F
_wcsncpy.LIBCMT ref: 00535671
_wcsncpy.LIBCMT ref: 005356A4
_wcsncpy.LIBCMT ref: 005356E6
_wcsncpy.LIBCMT ref: 00535720
_wcsncpy.LIBCMT ref: 0053574F

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 0756f948a865decd182b727ebe3ef0fbbba2623984273281d2e50454f582a7af
Instruction ID: 39c126859671027e2392d97bf31a8f53ce599ecbf91c72ddf08e41ecb5847067
Opcode Fuzzy Hash: 0756f948a865decd182b727ebe3ef0fbbba2623984273281d2e50454f582a7af
Instruction Fuzzy Hash: 92419365C1161876CB11EBF58C469DFB7B8AF44310F50995AE608E3221FA38E245C7AA

Function 0052D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0052D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0052D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0052D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0052D69D

Strings

,,V, xrefs: 0052D578
DllGetClassObject, xrefs: 0052D610

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,V$DllGetClassObject
API String ID: 753597075-880939190
Opcode ID: de8a40a8c5f78cef53bef8bc591c2fe0260df1dcad897e8df65da6d4e5e2a1ec
Instruction ID: e5951ae6a77f5488293a76c5f297fb419951e3cc3e86a23edc4b52bdb7d097ab
Opcode Fuzzy Hash: de8a40a8c5f78cef53bef8bc591c2fe0260df1dcad897e8df65da6d4e5e2a1ec
Instruction Fuzzy Hash: B4418FB1600214EFDB05DF64D884A9A7FB9FF45310F1580A9AC099F285D7B5ED44DBB0

Function 00533671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0053466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00533697,?), ref: 0053468B

Part of subcall function 0053466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00533697,?), ref: 005346A4

lstrcmpiW.KERNEL32(?,?), ref: 005336B7
_wcscmp.LIBCMT ref: 005336D3
MoveFileW.KERNEL32(?,?), ref: 005336EB
_wcscat.LIBCMT ref: 00533733
SHFileOperationW.SHELL32(?), ref: 0053379F

Strings

\*.*, xrefs: 0053372D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 40f315aa3a5f513812938ac34dacf4b20e2a1f339400072a284b5414c34fedc4
Instruction ID: 1dc52a04713a6277fb2a3a18fcfdeec1c22fb9ed1fce889a52b1abd8b227fdad
Opcode Fuzzy Hash: 40f315aa3a5f513812938ac34dacf4b20e2a1f339400072a284b5414c34fedc4
Instruction Fuzzy Hash: 8C418DB1508345AEC751EF64D4569EFBBE8FF88384F00092EB49AC3251EB34D689CB56

Function 00557291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005572AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00557351
IsMenu.USER32(?), ref: 00557369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005573B1
DrawMenuBar.USER32 ref: 005573C4

Strings

0, xrefs: 0055729E

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 29f57e3753b722dc1e372df101bad965dd9c9b8b4b416e37c8f5eeeaaf3c28bc
Instruction ID: 928303e4fb13293c7de063b125325abc3d1d00e2c57dae5c81d8836087c99bd4
Opcode Fuzzy Hash: 29f57e3753b722dc1e372df101bad965dd9c9b8b4b416e37c8f5eeeaaf3c28bc
Instruction Fuzzy Hash: B4413975A04208EFDB20DF50E894A9ABBF8FF08361F25882AFD0597250D730AD58EF50

Function 00550FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00550FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00550FFE
FreeLibrary.KERNEL32(00000000), ref: 005510B5

Part of subcall function 00550FA5: RegCloseKey.ADVAPI32(?), ref: 0055101B
Part of subcall function 00550FA5: FreeLibrary.KERNEL32(?), ref: 0055106D
Part of subcall function 00550FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00551090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00551058

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 5860bef8614ccb1c1b9d104c7242798607c7fc83314e5aade76bf68f1d85cb72
Instruction ID: 3090a390ecea9f8c773af826d3e7e7cd4f64eb129c4750f1fc663ac18ec15cfc
Opcode Fuzzy Hash: 5860bef8614ccb1c1b9d104c7242798607c7fc83314e5aade76bf68f1d85cb72
Instruction Fuzzy Hash: 28310171901109BFDB159F90DC99EFFBBBCFF08311F04016AE902A2191DA749E899B64

Function 005562CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005562EC
GetWindowLongW.USER32(01764B30,000000F0), ref: 0055631F
GetWindowLongW.USER32(01764B30,000000F0), ref: 00556354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00556386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005563B0
GetWindowLongW.USER32(00000000,000000F0), ref: 005563C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005563DB

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 0d10cb7bd5772a05ba9733ba66a7c70dbc64e30a2b3f1f091e4cc81b422445bf
Instruction ID: 11b87eace3ac36c885aee1eacc14a35b7fc51fe8ba5a74d9d2c2f7bfcfc23c9c
Opcode Fuzzy Hash: 0d10cb7bd5772a05ba9733ba66a7c70dbc64e30a2b3f1f091e4cc81b422445bf
Instruction Fuzzy Hash: 8D3135306002809FDB21CF18DCA4F553BE1FB5A716FAA05A6F9018F2B1CB71AC48EB50

Function 0052DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0052DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0052DB54
SysAllocString.OLEAUT32(00000000), ref: 0052DB57
SysAllocString.OLEAUT32(?), ref: 0052DB75
SysFreeString.OLEAUT32(?), ref: 0052DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0052DBA3
SysAllocString.OLEAUT32(?), ref: 0052DBB1

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7ccfe2b40555127f76eca9a7c027b0a4cc9270e0e5236ab07038c7459f3d58c3
Instruction ID: 1d8bf05e4c9997e7dfe6d5e0667429e36cde512acd336b0621a93474644cee50
Opcode Fuzzy Hash: 7ccfe2b40555127f76eca9a7c027b0a4cc9270e0e5236ab07038c7459f3d58c3
Instruction Fuzzy Hash: 09219F32600229AF9F109FA8EC98CBB77ACFF09360B018525FE14DB290D670AC459B64

Function 00546173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00547D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00547DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005461C6
WSAGetLastError.WSOCK32(00000000), ref: 005461D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0054620E
connect.WSOCK32(00000000,?,00000010), ref: 00546217
WSAGetLastError.WSOCK32 ref: 00546221
closesocket.WSOCK32(00000000), ref: 0054624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00546263

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 35920f2138d6d67c43335b1d8aeafd59af6d45b7bc7741d8a9acf0a281fac219
Instruction ID: 9e5878f6b4f0b3fd4af2856e91062f92333ca63eb035cd3547b8d7a23b6f480f
Opcode Fuzzy Hash: 35920f2138d6d67c43335b1d8aeafd59af6d45b7bc7741d8a9acf0a281fac219
Instruction Fuzzy Hash: 40319035600218ABDF10AF64CC95BBE7BADFF45719F04402AF905E7291DB74AC08DBA2

Function 0052F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0052F671
__wcsnicmp.LIBCMT ref: 0052F692
__wcsnicmp.LIBCMT ref: 0052F6AC

Strings

#OnAutoItStartRegister, xrefs: 0052F6A6
#requireadmin, xrefs: 0052F68C
#notrayicon, xrefs: 0052F669

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 8033044d5349b56b1e17abe38b9de20f9a00a0811a15fceb6cc9b26b90f73c68
Instruction ID: 95633a5d46a6bbe66011d68c96a94068f84c144197cf986c72eec7b9e9edf23b
Opcode Fuzzy Hash: 8033044d5349b56b1e17abe38b9de20f9a00a0811a15fceb6cc9b26b90f73c68
Instruction Fuzzy Hash: 9621767220463166D220AB35FC02EBB7BE8FF56748F18843EF942871D1EB94AD45C398

Function 0052DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0052DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0052DC2F
SysAllocString.OLEAUT32(00000000), ref: 0052DC32
SysAllocString.OLEAUT32 ref: 0052DC53
SysFreeString.OLEAUT32 ref: 0052DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0052DC76
SysAllocString.OLEAUT32(?), ref: 0052DC84

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8ec4552e91a092132551acb88958f04a5167914b08d3080c20f3b922c1942713
Instruction ID: 7cdbe17a6135db49c7c04088098dd4dabf3443129cf0dd9a1dcf15fdf85c99e7
Opcode Fuzzy Hash: 8ec4552e91a092132551acb88958f04a5167914b08d3080c20f3b922c1942713
Instruction Fuzzy Hash: 47219035605214AF9B109BA8EC88CAB7BACFF09360B108125F904DB2A1DAB0EC45DB74

Function 005575CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004D1D73
Part of subcall function 004D1D35: GetStockObject.GDI32(00000011), ref: 004D1D87
Part of subcall function 004D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 004D1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00557632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0055763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0055764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00557659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00557665

Strings

Msctls_Progress32, xrefs: 00557603

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: db0aa1088dfeb9152f949e382645c3a6b60adc2629fffb44c2b7bd09fe8ed466
Instruction ID: e61d8a7378876529ba961b8ca5a9d437938938b79f0bf25d7d858f7dd3394368
Opcode Fuzzy Hash: db0aa1088dfeb9152f949e382645c3a6b60adc2629fffb44c2b7bd09fe8ed466
Instruction Fuzzy Hash: 6F1190B211021DBFEF159F64DC85EE77F6DFF08798F014115BA04A20A0DA72AC25DBA4

Function 004F9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 004F9AE6

Part of subcall function 004F3187: EncodePointer.KERNEL32(00000000), ref: 004F318A
Part of subcall function 004F3187: __initp_misc_winsig.LIBCMT ref: 004F31A5
Part of subcall function 004F3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004F9EA0
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004F9EB4
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004F9EC7
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004F9EDA
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004F9EED
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 004F9F00
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 004F9F13
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 004F9F26
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 004F9F39
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 004F9F4C
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 004F9F5F
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 004F9F72
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 004F9F85
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004F9F98
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004F9FAB
Part of subcall function 004F3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004F9FBE

__mtinitlocks.LIBCMT ref: 004F9AEB
__mtterm.LIBCMT ref: 004F9AF4

Part of subcall function 004F9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,004F9AF9,004F7CD0,0058A0B8,00000014), ref: 004F9C56
Part of subcall function 004F9B5C: _free.LIBCMT ref: 004F9C5D
Part of subcall function 004F9B5C: DeleteCriticalSection.KERNEL32(02Y,?,?,004F9AF9,004F7CD0,0058A0B8,00000014), ref: 004F9C7F

__calloc_crt.LIBCMT ref: 004F9B19
__initptd.LIBCMT ref: 004F9B3B
GetCurrentThreadId.KERNEL32 ref: 004F9B42

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 486d6b81c5ad4581ac5586208cb1c53337d242c2f7034a53cfaf33f0071039e3
Instruction ID: 3fe4970da67c676d1b82e60e4a1c12c781692e3e5de6833f936329feca94278a
Opcode Fuzzy Hash: 486d6b81c5ad4581ac5586208cb1c53337d242c2f7034a53cfaf33f0071039e3
Instruction Fuzzy Hash: 2AF0C2325197191AE6747A76BC07B7B3690AB02338B20061FF710951D6EE689C00426C

Function 0055B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0055B644
_memset.LIBCMT ref: 0055B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00596F20,00596F64), ref: 0055B682
CloseHandle.KERNEL32 ref: 0055B694

Strings

doY, xrefs: 0055B64D
oY, xrefs: 0055B63E

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: oY$doY
API String ID: 3277943733-237777786
Opcode ID: 269f0cca2ebcdbfd78de6d97450bbada44b6e3812a6a855db445dc48bd590e00
Instruction ID: 9943da1973932b5ebdf28fbb6ca0c82d433ad793924eca9e62d9063f226ea19b
Opcode Fuzzy Hash: 269f0cca2ebcdbfd78de6d97450bbada44b6e3812a6a855db445dc48bd590e00
Instruction Fuzzy Hash: 0BF082B25403047BF7102761BC0AFBB3E9CEB19396F014422FB08E51A6D7754C08D7A8

Function 004F406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004F3F85), ref: 004F4085
GetProcAddress.KERNEL32(00000000), ref: 004F408C
EncodePointer.KERNEL32(00000000), ref: 004F4097
DecodePointer.KERNEL32(004F3F85), ref: 004F40B2

Strings

RoUninitialize, xrefs: 004F4074
combase.dll, xrefs: 004F4080

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 3e06049cff2ec58bdb7bf92a76897e372210d075bdd4f05b718d67f57871851d
Instruction ID: dcd7ac39ccbea08e5255759f08a57efa29e312518a35251212d49597bdc60762
Opcode Fuzzy Hash: 3e06049cff2ec58bdb7bf92a76897e372210d075bdd4f05b718d67f57871851d
Instruction Fuzzy Hash: 62E0B670585700EFEB20AF61EC1DB163AA4B724783F124426F205E21B0CFB6460CFB19

Function 005364B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0053660B
_memmove.LIBCMT ref: 00536546

Part of subcall function 004D9837: __itow.LIBCMT ref: 004D9862
Part of subcall function 004D9837: __swprintf.LIBCMT ref: 004D98AC

_memmove.LIBCMT ref: 005365B9
_memmove.LIBCMT ref: 005366A0
_memmove.LIBCMT ref: 005366B9
_memmove.LIBCMT ref: 005366D5

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 01f6861b9c9f464f3e444165d26c031541feffe0c99e54a007fe9ecc55138285
Instruction ID: 8fef4177060ddfe0b91fd55130f07044c9a530135530ea8641b43aa9f6beb2f6
Opcode Fuzzy Hash: 01f6861b9c9f464f3e444165d26c031541feffe0c99e54a007fe9ecc55138285
Instruction Fuzzy Hash: 7C619D3190025AABCF01EF61CC92AFE3BA5BF45308F44896EF9559B292DB38DC05DB54

Function 005501E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

Part of subcall function 00550E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0054FDAD,?,?), ref: 00550E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005502BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005502FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00550320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00550349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0055038C
RegCloseKey.ADVAPI32(00000000), ref: 00550399

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 78e8a4f4b8795f5e68fc589e7369b6dab6ab643a88fdba505ba67fbae41c69fc
Instruction ID: 2ec04dcae38fa2cc0942035a709f96844dd48cf744c29048f7276003992e1017
Opcode Fuzzy Hash: 78e8a4f4b8795f5e68fc589e7369b6dab6ab643a88fdba505ba67fbae41c69fc
Instruction Fuzzy Hash: 10515C71208305AFC710EF64C8A9E6EBBE9FF85314F44491EF945872A2DB35E909CB52

Function 00555799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005557FB
GetMenuItemCount.USER32(00000000), ref: 00555832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0055585A
GetMenuItemID.USER32(?,?), ref: 005558C9
GetSubMenu.USER32(?,?), ref: 005558D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00555928

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 57a82eec760ddd7a6cebcc98ed27afb2a7ca386dcb7680c7bcfabef71ccad45f
Instruction ID: f2a45539b93d17a4173d00cee524a89fee28281c8f65661f95aa4725c4febdd1
Opcode Fuzzy Hash: 57a82eec760ddd7a6cebcc98ed27afb2a7ca386dcb7680c7bcfabef71ccad45f
Instruction Fuzzy Hash: 44515B31E00615EFCF11AF65C865AAEBBB4FF48321F10446AED01AB351DB34AE459B94

Function 0052EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0052EF06
VariantClear.OLEAUT32(00000013), ref: 0052EF78
VariantClear.OLEAUT32(00000000), ref: 0052EFD3
_memmove.LIBCMT ref: 0052EFFD
VariantClear.OLEAUT32(?), ref: 0052F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0052F078

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: ceafebe7145a4352a026d500ad996e8928835d818fa5c9072b8796ed822e1da3
Instruction ID: b1feaa93026c134ba6ab06bcd3bef6e1b5ab2a21c27b8df20d1d68cbd350fff7
Opcode Fuzzy Hash: ceafebe7145a4352a026d500ad996e8928835d818fa5c9072b8796ed822e1da3
Instruction Fuzzy Hash: A8517BB5A00219EFCB10DF58D884AAABBB8FF4D314B158569ED49DB341E334E911CFA0

Function 0053220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00532258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005322A3
IsMenu.USER32(00000000), ref: 005322C3
CreatePopupMenu.USER32 ref: 005322F7
GetMenuItemCount.USER32(000000FF), ref: 00532355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00532386

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: a4466babe573b29cdb2a64afa999cf295f51c18d36f643a21bf39f52d29139a2
Instruction ID: 5c4bcbf3d999a8128d062f8c6272c9b9aa0dd46366101e45888299e13ccc15b7
Opcode Fuzzy Hash: a4466babe573b29cdb2a64afa999cf295f51c18d36f643a21bf39f52d29139a2
Instruction Fuzzy Hash: A5519B70601A0AEBDF21CF68D888BAEBFF5BF55318F104929E851AB290E3759944CB51

Function 004D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 004D2612: GetWindowLongW.USER32(?,000000EB), ref: 004D2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 004D179A
GetWindowRect.USER32(?,?), ref: 004D17FE
ScreenToClient.USER32(?,?), ref: 004D181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004D182C
EndPaint.USER32(?,?), ref: 004D1876

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 7ff4ba3bb0f6b7566a0ee28501d555ff8dde3a79b8a2bd42f696b52fff48f32f
Instruction ID: 47222b63ed20ec0b3dff26f30fd9058a20ef27b35cc2f5a8d5a272eebbace4da
Opcode Fuzzy Hash: 7ff4ba3bb0f6b7566a0ee28501d555ff8dde3a79b8a2bd42f696b52fff48f32f
Instruction Fuzzy Hash: 7441BE30500700AFD711EF25CCA4FAA7BE8FB55724F14462BF9A4872B1D7349809EB62

Function 0055B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(005957B0,00000000,01764B30,?,?,005957B0,?,0055B5A8,?,?), ref: 0055B712
EnableWindow.USER32(00000000,00000000), ref: 0055B736
ShowWindow.USER32(005957B0,00000000,01764B30,?,?,005957B0,?,0055B5A8,?,?), ref: 0055B796
ShowWindow.USER32(00000000,00000004,?,0055B5A8,?,?), ref: 0055B7A8
EnableWindow.USER32(00000000,00000001), ref: 0055B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0055B7EF

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d6aee16c50302b0a731858311a2bbe99050c1d86551c76138fe0227b342d4c86
Instruction ID: bda3d87110cb12b1d6ce9826729052b8da90ea34a17d0bc3dd824a121323c9ec
Opcode Fuzzy Hash: d6aee16c50302b0a731858311a2bbe99050c1d86551c76138fe0227b342d4c86
Instruction Fuzzy Hash: 2C416234610244AFEB25CF24C4ADB957FE1FF49312F1841BAED498F6A2C731A85ACB51

Function 0054709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00544E41,?,?,00000000,00000001), ref: 005470AC

Part of subcall function 005439A0: GetWindowRect.USER32(?,?), ref: 005439B3

GetDesktopWindow.USER32 ref: 005470D6
GetWindowRect.USER32(00000000), ref: 005470DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0054710F

Part of subcall function 00535244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005352BC

GetCursorPos.USER32(?), ref: 0054713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00547199

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 026222381121515fd37418135ed2edfd4d500da2e6d845a2b8978f7f325316ac
Instruction ID: a5fc5c6e567c8bdc807a46d73855a3d89c4f37e73d53d73bb5fbc39d0110164c
Opcode Fuzzy Hash: 026222381121515fd37418135ed2edfd4d500da2e6d845a2b8978f7f325316ac
Instruction Fuzzy Hash: F531C47250930AABD724DF14C849F9BBBE9FFC8314F000919F585A7191D770EA09CB92

Function 00528879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005280A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005280C0
Part of subcall function 005280A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005280CA
Part of subcall function 005280A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005280D9
Part of subcall function 005280A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005280E0
Part of subcall function 005280A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005280F6

GetLengthSid.ADVAPI32(?,00000000,0052842F), ref: 005288CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005288D6
HeapAlloc.KERNEL32(00000000), ref: 005288DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 005288F6
GetProcessHeap.KERNEL32(00000000,00000000,0052842F), ref: 0052890A
HeapFree.KERNEL32(00000000), ref: 00528911

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b7ebfa95664ebca1844dbbfb63b25d681d7bed07ef710a4f24ea61dcdfb6de4f
Instruction ID: 4e575d59ba55c885099cc110e0d1d193c0660d9a5812c0fb0f4d63348a895203
Opcode Fuzzy Hash: b7ebfa95664ebca1844dbbfb63b25d681d7bed07ef710a4f24ea61dcdfb6de4f
Instruction Fuzzy Hash: 8A11AF31502619FFDB109FE4EC19BBE7B68FF46312F148428F84597190CB32A944DB60

Function 005285B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005285E2
OpenProcessToken.ADVAPI32(00000000), ref: 005285E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005285F8
CloseHandle.KERNEL32(00000004), ref: 00528603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00528632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00528646

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 877dd2120c40d4f5352d8a6bbaf2182374c2b54c6307709a0297bff27bc7facc
Instruction ID: 7b9356d926c371191bdb27882fc21633eb400d8851d1cb4ecf84fae5eb044d87
Opcode Fuzzy Hash: 877dd2120c40d4f5352d8a6bbaf2182374c2b54c6307709a0297bff27bc7facc
Instruction Fuzzy Hash: 651159B2502209ABDF018FA4ED49BEE7FA9FF09305F044064FE05A21A0C7729D64EB60

Function 0052B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0052B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0052B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0052B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0052B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0052B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0052B7FE

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 74c6fc660b5cdae7a1f677bbf3f97d791a1cc0636c406acb64f09b3c55bc5f5d
Instruction ID: 71e1d044c7d9badd6e4296a54e0a071088f39a369c28e64f8799f416a3b93912
Opcode Fuzzy Hash: 74c6fc660b5cdae7a1f677bbf3f97d791a1cc0636c406acb64f09b3c55bc5f5d
Instruction Fuzzy Hash: 8A0184B5E00319BBEB109BE69C49A5EBFB8EF58311F044075FA04A7291D6309C04CF90

Function 004F0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004F0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 004F019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004F01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004F01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 004F01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 004F01C1

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: aa09aa0abb4c3d53a960bbfd363f50b500820789466114549253b513a18bae89
Instruction ID: fb1a4f9ba541c7dcb5f655cc1cbcc8224622d7d69fd11a1b949b864103e7d0ef
Opcode Fuzzy Hash: aa09aa0abb4c3d53a960bbfd363f50b500820789466114549253b513a18bae89
Instruction Fuzzy Hash: 9C016CB09017597DE3009F5A8C85B52FFE8FF19354F00411BA15C47941C7F5A868CBE5

Function 005353E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005353F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0053540F
GetWindowThreadProcessId.USER32(?,?), ref: 0053541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0053542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00535437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0053543E

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 69a23e63cd3f463f6e68a9953ce226960c66e6fcd58f2188082ea78823665e65
Instruction ID: d650ce7a1426b22894b7dcbe5a905787ba9e4a851feecff3442f14633056521a
Opcode Fuzzy Hash: 69a23e63cd3f463f6e68a9953ce226960c66e6fcd58f2188082ea78823665e65
Instruction Fuzzy Hash: 7CF01D32241658BBE7215BA2DC0DEAB7F7CEBD6B12F000169FA04D2061A7A11A05D7B5

Function 00537230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00537243
EnterCriticalSection.KERNEL32(?,?,004E0EE4,?,?), ref: 00537254
TerminateThread.KERNEL32(00000000,000001F6,?,004E0EE4,?,?), ref: 00537261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,004E0EE4,?,?), ref: 0053726E

Part of subcall function 00536C35: CloseHandle.KERNEL32(00000000,?,0053727B,?,004E0EE4,?,?), ref: 00536C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00537281
LeaveCriticalSection.KERNEL32(?,?,004E0EE4,?,?), ref: 00537288

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5075f9eafddf4d5cd3bf9cd17b0bbbfa2b55ddeccff7cb6fcd1211ac2ae286ab
Instruction ID: 771554db7c70c0cabd88774212f03bf1c9b50a01d713d2f5a4ae7f25c486d52d
Opcode Fuzzy Hash: 5075f9eafddf4d5cd3bf9cd17b0bbbfa2b55ddeccff7cb6fcd1211ac2ae286ab
Instruction Fuzzy Hash: 9CF05EBE541712EBDB122B64ED5C9DB7B29FF59703F100531F503914A0CB765805DB50

Function 00528992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0052899D
UnloadUserProfile.USERENV(?,?), ref: 005289A9
CloseHandle.KERNEL32(?), ref: 005289B2
CloseHandle.KERNEL32(?), ref: 005289BA
GetProcessHeap.KERNEL32(00000000,?), ref: 005289C3
HeapFree.KERNEL32(00000000), ref: 005289CA

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 247e79cfcd540104f7207d9669c1216eae68d91570686723707844a2ab98b029
Instruction ID: 2efce9ffe3eb480d0d2583c8a2a3fc4503243b894c038a5b16586b5548dd7f5f
Opcode Fuzzy Hash: 247e79cfcd540104f7207d9669c1216eae68d91570686723707844a2ab98b029
Instruction Fuzzy Hash: 0EE0C236004601FBDA012FE1EC1C90ABB69FBA9323B108630F21981470CB32A428EB90

Function 00527530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00562C7C,?), ref: 005276EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00562C7C,?), ref: 00527702
CLSIDFromProgID.OLE32(?,?,00000000,0055FB80,000000FF,?,00000000,00000800,00000000,?,00562C7C,?), ref: 00527727
_memcmp.LIBCMT ref: 00527748

Strings

,,V, xrefs: 0052753D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,V
API String ID: 314563124-1966078457
Opcode ID: a6a8e32431418fbb254aa77ba90cf4b8970069d836d37e38e6922d38d7611beb
Instruction ID: d4c39e8dc93eda3a4a367afc6dfd5034d9a7e301394f16f982c371c55a8f026e
Opcode Fuzzy Hash: a6a8e32431418fbb254aa77ba90cf4b8970069d836d37e38e6922d38d7611beb
Instruction Fuzzy Hash: 25813E71A00119EFCB04DFA4D984EEEBBB9FF89315F204559F505AB290DB71AE06CB60

Function 005485ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00548613
CharUpperBuffW.USER32(?,?), ref: 00548722
VariantClear.OLEAUT32(?), ref: 0054889A

Part of subcall function 00537562: VariantInit.OLEAUT32(00000000), ref: 005375A2
Part of subcall function 00537562: VariantCopy.OLEAUT32(00000000,?), ref: 005375AB
Part of subcall function 00537562: VariantClear.OLEAUT32(00000000), ref: 005375B7

Strings

Incorrect Parameter format, xrefs: 0054864B, 0054880D
AUTOIT.ERROR, xrefs: 00548728

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: b5a252903b14a7bfd268fa7590777859b1473e1566834f1f5bec0e9492ad8015
Instruction ID: dfb71d78d32caf7e14ad4e60da34ceff7203a17d38d5285b412ad8126a967c0c
Opcode Fuzzy Hash: b5a252903b14a7bfd268fa7590777859b1473e1566834f1f5bec0e9492ad8015
Instruction Fuzzy Hash: EF915C716043019FCB10EF25C4949AABBE4FF89718F148D6EF89A9B361DB31E905CB91

Function 00532A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004EFC86: _wcscpy.LIBCMT ref: 004EFCA9

_memset.LIBCMT ref: 00532B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00532BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00532C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00532C97

Strings

0, xrefs: 00532B73

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: c1bcac4e52f63123adc6373dee44a9ef56deb7151e78fa5411e99b5d569dbb04
Instruction ID: 3982504acf4d335d8b90bfcbe05bb5e891f4fc4c91d2c44302d50f6bc594fbf9
Opcode Fuzzy Hash: c1bcac4e52f63123adc6373dee44a9ef56deb7151e78fa5411e99b5d569dbb04
Instruction Fuzzy Hash: 8D51EE71608B04ABD7259F28D845A6FBFE8FF94314F141A2EF884D3291EB74CC049B56

Function 004E3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004E3277
_memmove.LIBCMT ref: 004E3310
_free.LIBCMT ref: 004E3336
_memmove.LIBCMT ref: 004E33E9

Strings

3cN, xrefs: 004E3225
_N, xrefs: 004E3322

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cN$_N
API String ID: 2620147621-2844543080
Opcode ID: 69eba21bffe813ddfd80297f1d673d8af7b3a050db77ca504b50a5bb517bce6e
Instruction ID: 290d194dca2d1a2871cbbac09963140f0cd455e5d3c61d71ce07c2b90b99179b
Opcode Fuzzy Hash: 69eba21bffe813ddfd80297f1d673d8af7b3a050db77ca504b50a5bb517bce6e
Instruction Fuzzy Hash: C9516D716043818FDB25CF2AC844B6BBBE5FF85315F08492EE98987391EB35E941CB46

Function 004E6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004E6248
_memmove.LIBCMT ref: 004E62E4
_memset.LIBCMT ref: 004E6308

Strings

3cN, xrefs: 004E62AF
ERCP, xrefs: 004E61B3

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cN$ERCP
API String ID: 2532777613-2799706292
Opcode ID: 42235874e78a1dc9d4055faf436f42593551a8c3c50a86b558c9415352df04d9
Instruction ID: 3f8972c9533a1a568c4ab40f819ab5f72d1f050e84a7e52b46d1d21f14ddf4f1
Opcode Fuzzy Hash: 42235874e78a1dc9d4055faf436f42593551a8c3c50a86b558c9415352df04d9
Instruction Fuzzy Hash: 7751E070901309DBDB24DF66C8417ABBBE4FF14345F2085AFE94AD7281E374AA41CB44

Function 00532753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005327C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005327DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00532822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00595890,00000000), ref: 0053286B

Strings

0, xrefs: 005327B5

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0ae4681498ff4ae9a86ae744a41f7d432a0f7ac7586d16524162302e136dc61f
Instruction ID: c7b6906ba53c81bfad64f54feb7d661745257737324a34f2171e8703be3a5121
Opcode Fuzzy Hash: 0ae4681498ff4ae9a86ae744a41f7d432a0f7ac7586d16524162302e136dc61f
Instruction Fuzzy Hash: 8B419E702047429FD720DF25C884B6ABFE8FF85314F148A2EF9A697291D774E905CB62

Function 0054D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0054D7C5

Part of subcall function 004D784B: _memmove.LIBCMT ref: 004D7899

Strings

winapi, xrefs: 0054D836
stdcall, xrefs: 0054D847
none, xrefs: 0054D8A0
cdecl, xrefs: 0054D81C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 993463a6bd1e4e0c1ab1e5262095674388407fc9aabdfb88a71d9cfd03eba1bc
Instruction ID: c57ff1deca030a7474f1d168f867df6aa274985dd669238d8fc191fbbf85f034
Opcode Fuzzy Hash: 993463a6bd1e4e0c1ab1e5262095674388407fc9aabdfb88a71d9cfd03eba1bc
Instruction Fuzzy Hash: 0D31E371904609ABCF00EF55C8519FEBBB5FF54328B108A2AE825A73C1DB31A905CB90

Function 00528E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

Part of subcall function 0052AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0052AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00528F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00528F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00528F57

Part of subcall function 004D7BCC: _memmove.LIBCMT ref: 004D7C06

Strings

ComboBox, xrefs: 00528E9E
ListBox, xrefs: 00528ED3

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: d9b22637c0ae869e68be17343006d68db1e6c0374d83b6c15207e71b899036f7
Instruction ID: afaef0bb5d3ed1c7adea6401218055ec47979f0e590b7602a436b7c115ccc66c
Opcode Fuzzy Hash: d9b22637c0ae869e68be17343006d68db1e6c0374d83b6c15207e71b899036f7
Instruction Fuzzy Hash: CF210471A01108BADB14ABB0EC95CFFBB69EF46324F14451BF821A72E1DF3958499610

Function 0054182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0054184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00541872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005418A2
InternetCloseHandle.WININET(00000000), ref: 005418E9

Part of subcall function 00542483: GetLastError.KERNEL32(?,?,00541817,00000000,00000000,00000001), ref: 00542498
Part of subcall function 00542483: SetEvent.KERNEL32(?,?,00541817,00000000,00000000,00000001), ref: 005424AD

Strings

, xrefs: 00541893

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2958c1b9ac870287301ded979861dc21576a352d535f9a038c886fdf05055266
Instruction ID: afee0c6db04c2c95e044cb7dfd8b8e4a2eab4f5be28bca22fc61145674a41b87
Opcode Fuzzy Hash: 2958c1b9ac870287301ded979861dc21576a352d535f9a038c886fdf05055266
Instruction Fuzzy Hash: 5D21B0B1500708BFEB119F60DC85EFB7BEDFB88749F10412AF405D3140EA249D44A7A4

Function 005563E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004D1D73
Part of subcall function 004D1D35: GetStockObject.GDI32(00000011), ref: 004D1D87
Part of subcall function 004D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 004D1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00556461
LoadLibraryW.KERNEL32(?), ref: 00556468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0055647D
DestroyWindow.USER32(?), ref: 00556485

Strings

SysAnimate32, xrefs: 0055643C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 6a0246f3073fa7e58c29a99f1a13c5d72268dd35e0ac9330b82ce95644d044a7
Instruction ID: a0adc970f26676ae08affe7ddd585896c0a16491c78712a379576ab0794f1455
Opcode Fuzzy Hash: 6a0246f3073fa7e58c29a99f1a13c5d72268dd35e0ac9330b82ce95644d044a7
Instruction Fuzzy Hash: 95218E71100245FBEF104FA4DCA4EBB7BADFB58365F90462AFD1093190D7359C59A760

Function 00536D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00536DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00536DEF
GetStdHandle.KERNEL32(0000000C), ref: 00536E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00536E3B

Strings

nul, xrefs: 00536E36

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d5dfdbc4534e6265311de77f8ecf942af7674d91979f447663bdf5b29c588f64
Instruction ID: 6c9c3ed821db3d054bbaf7efb70b9768a7c702bfb35361e92441614c9c476bf0
Opcode Fuzzy Hash: d5dfdbc4534e6265311de77f8ecf942af7674d91979f447663bdf5b29c588f64
Instruction Fuzzy Hash: EF2153B560030ABBDB209F29DC05A9A7FB8FF55720F208A2DFDA1D72D0DB7099549B50

Function 00536E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00536E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00536EBB
GetStdHandle.KERNEL32(000000F6), ref: 00536ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00536F06

Strings

nul, xrefs: 00536F01

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 411b58179f58b28b6259425fc358eb58fea8be4282d71aea390c1b28a2aba26f
Instruction ID: ae8ea2b1afdd9f1e7357d1a8f18188186c5700f35d16d516f6663642b8ab013b
Opcode Fuzzy Hash: 411b58179f58b28b6259425fc358eb58fea8be4282d71aea390c1b28a2aba26f
Instruction Fuzzy Hash: E2216079500306ABDB209F69DC04AAB7BE8FF55720F208A1DFCA1D72D0DB70A859DB51

Function 0053AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0053AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0053ACA8
__swprintf.LIBCMT ref: 0053ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0055F910), ref: 0053ACFF

Strings

%lu, xrefs: 0053ACBB

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 2e019f35c674ba38daa65c091465398ec6645deefa2e0605ae99e6a546752337
Instruction ID: 566dd9d49d3e275ab5b8cb2c768465a6640afaa68cd24925c07d85bb68fe4db5
Opcode Fuzzy Hash: 2e019f35c674ba38daa65c091465398ec6645deefa2e0605ae99e6a546752337
Instruction Fuzzy Hash: D421A130A00209AFCB10EF65C955DAE7BB8FF89319B00406AF909EB351DB35EE05DB61

Function 00531142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0052FCED,?,00530D40,?,00008000), ref: 0053115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0052FCED,?,00530D40,?,00008000), ref: 00531184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0052FCED,?,00530D40,?,00008000), ref: 0053118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0052FCED,?,00530D40,?,00008000), ref: 005311C1

Strings

@S, xrefs: 0053119D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @S
API String ID: 2875609808-3356961489
Opcode ID: 520d5d16bbfce47cb350352d1fe0062edc9decdf354e887f53e99996c3295845
Instruction ID: 27ef9c8117a0d7fd1b963c8737d73b83460f086d8743a03026752fb400ac3a38
Opcode Fuzzy Hash: 520d5d16bbfce47cb350352d1fe0062edc9decdf354e887f53e99996c3295845
Instruction Fuzzy Hash: 18115E71D01A1DE7CF00EFA5D848AEEBF78FF19711F004455EA41B2240CB709554DB99

Function 00531AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00531B19

Strings

EXISTS, xrefs: 00531B41
REMOVE, xrefs: 00531B1F
APPEND, xrefs: 00531B52
KEYS, xrefs: 00531B30

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 8934a26fa9b591d4ebf1effcc48fd363924b6bcc6505e860e34c821a42504140
Instruction ID: c7bd4573411a2b67e9d1c732e46615e9561195f887577ee4840a272f9ba3add4
Opcode Fuzzy Hash: 8934a26fa9b591d4ebf1effcc48fd363924b6bcc6505e860e34c821a42504140
Instruction Fuzzy Hash: 74115E709006089FCF00EFA5D9618FEFBB4FF65308F5044AAD85467692EB325D06CB58

Function 0054EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0054EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0054EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0054ED6A
CloseHandle.KERNEL32(?), ref: 0054EDEB

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 6c38f074654434a76d8761661df3d7c50a6bebe04e31837bc0c6b629fac5a3cd
Instruction ID: 383d9b841e4534ce8522ae3cd03043446b49930759fa4b09f7b4d1a8cc33f9b2
Opcode Fuzzy Hash: 6c38f074654434a76d8761661df3d7c50a6bebe04e31837bc0c6b629fac5a3cd
Instruction Fuzzy Hash: 83816C716003009FD760EF29C896F6ABBE5BF44B14F04881EF999DB3D2DA74AC448B95

Function 00550037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

Part of subcall function 00550E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0054FDAD,?,?), ref: 00550E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005500FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0055013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00550183
RegCloseKey.ADVAPI32(?,?), ref: 005501AF
RegCloseKey.ADVAPI32(00000000), ref: 005501BC

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 3ed651d2d9d67ca909e31b0fa42f8e95ab15046bd9e2f9148ca06a9b218fc896
Instruction ID: 32ec8e0484aabca4ca5b1c56cddc22a277bfe37a93062f64dc23965b68b0e238
Opcode Fuzzy Hash: 3ed651d2d9d67ca909e31b0fa42f8e95ab15046bd9e2f9148ca06a9b218fc896
Instruction Fuzzy Hash: 84517C71208205AFC704EF58CCA5E6EBBE9FF84314F44491EF995872A1DB35E908CB56

Function 0054D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004D9837: __itow.LIBCMT ref: 004D9862
Part of subcall function 004D9837: __swprintf.LIBCMT ref: 004D98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0054D927
GetProcAddress.KERNEL32(00000000,?), ref: 0054D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0054D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0054DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0054DA21

Part of subcall function 004D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00537896,?,?,00000000), ref: 004D5A2C
Part of subcall function 004D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00537896,?,?,00000000,?,?), ref: 004D5A50

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: be0f814090651e0e103ef4dd9305e99b923af5e57ab32b35250212ef18c3d396
Instruction ID: d1b73cb456f1604a2952f847e8aaa3fdd13e7e8d0e126586224c4129163837bb
Opcode Fuzzy Hash: be0f814090651e0e103ef4dd9305e99b923af5e57ab32b35250212ef18c3d396
Instruction Fuzzy Hash: 6C512975A00605DFCB00EFA9C4949ADBBF4FF19318B04806AE855AB312DB35ED45CF90

Function 0053E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0053E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0053E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0053E687

Part of subcall function 004D9837: __itow.LIBCMT ref: 004D9862
Part of subcall function 004D9837: __swprintf.LIBCMT ref: 004D98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0053E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0053E6B4

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: f3eacfe936db55b0b5fe82d4a20725554d8f57c42b64792e0fb2a9b681430e21
Instruction ID: 1608328550b8e9cc52d4201513816f32dd0b65640017aaf884199c480707bc9f
Opcode Fuzzy Hash: f3eacfe936db55b0b5fe82d4a20725554d8f57c42b64792e0fb2a9b681430e21
Instruction Fuzzy Hash: 23512835A002059FCF01EF65C9919AEBBF5FF09314F1480AAE809AB362CB35ED10DB54

Function 0055A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9d48d1baef8bb84549af2c2058b0fc1219a940a36b62d3e460e664e62daf13
Instruction ID: fa5ae32de443f5daa1e83645b89d5ffc2648cf98d1b5e13232f3047bfee7104a
Opcode Fuzzy Hash: 5c9d48d1baef8bb84549af2c2058b0fc1219a940a36b62d3e460e664e62daf13
Instruction Fuzzy Hash: 9341B235904604AFD710DB28CC68FA9BFA4FB09312F150666EC16A72E1DB30AD49EB51

Function 004D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004D2357
ScreenToClient.USER32(005957B0,?), ref: 004D2374
GetAsyncKeyState.USER32(00000001), ref: 004D2399
GetAsyncKeyState.USER32(00000002), ref: 004D23A7

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0a6f5cb69ed86b2ae43f789d19ac4a17fb50116acd9ff0aec416c1b4917e3792
Instruction ID: 439a0673d68712ac8b2a845fc1682ec6f75fd72c7c459314eb1551f01447d20f
Opcode Fuzzy Hash: 0a6f5cb69ed86b2ae43f789d19ac4a17fb50116acd9ff0aec416c1b4917e3792
Instruction Fuzzy Hash: 4B419E75604206FBDF259F68C858AEEBF74BB15320F20431BF828922E0C7749954DB91

Function 005263AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005263E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00526433
TranslateMessage.USER32(?), ref: 0052645C
DispatchMessageW.USER32(?), ref: 00526466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00526475

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 5010d2484e0b5b3b47ed49c63ab54b4e272472142492e6546246e27e92f44a32
Instruction ID: edbde2360219055c62652eb2a81db71f6ee79767c71ec95d0e4635fbff7bb941
Opcode Fuzzy Hash: 5010d2484e0b5b3b47ed49c63ab54b4e272472142492e6546246e27e92f44a32
Instruction Fuzzy Hash: C431C431900666AFDF25DFB0EC84BB67FA8BF22300F240566E561C31E1E7259499E7A0

Function 00528A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00528A30
PostMessageW.USER32(?,00000201,00000001), ref: 00528ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00528AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00528AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00528AF8

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4793b7b74080aab759c5c0a3e1bc027492443866416dcdefb59ba8da7fece811
Instruction ID: 93196c1937d1cd0d0dffb7ea2e25eeede0082af26a4646b690a4f82019991d45
Opcode Fuzzy Hash: 4793b7b74080aab759c5c0a3e1bc027492443866416dcdefb59ba8da7fece811
Instruction Fuzzy Hash: 2531B171501229EBDB14CFA8E94CAAE3BB5FF15326F104229F925EB1D0CBB09914DB90

Function 0052B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0052B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0052B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0052B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0052B27F
_wcsstr.LIBCMT ref: 0052B289

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 93e72b7a8ecfee266b612ca6fbfb03eceb7364a8f1fe521236000f5cfefb06a6
Instruction ID: 77de25aeae6c01581a5e832a66798318fd6ff1aeab48c2785eb7a200d7495b10
Opcode Fuzzy Hash: 93e72b7a8ecfee266b612ca6fbfb03eceb7364a8f1fe521236000f5cfefb06a6
Instruction Fuzzy Hash: 49212576604314BAFB159B75AC09E7F7F98EF8A710F00412EF804CA1A1EB65DC40A3A0

Function 0055B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004D2612: GetWindowLongW.USER32(?,000000EB), ref: 004D2623

GetWindowLongW.USER32(?,000000F0), ref: 0055B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0055B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0055B1CF
GetSystemMetrics.USER32(00000004), ref: 0055B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00540E90,00000000), ref: 0055B216

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 66bb56a04f541b785a06c10288e945932f8475e1d1484764f8423f3ec35e7466
Instruction ID: a62811913e8c454a0636862caa50e7a52fa2cb131b6a9e1a113218f975fec093
Opcode Fuzzy Hash: 66bb56a04f541b785a06c10288e945932f8475e1d1484764f8423f3ec35e7466
Instruction Fuzzy Hash: AD219471510655AFDB109F38DC28A6A3BA4FB15362F21472AFD32D71E0E7309828DB90

Function 00529307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00529320

Part of subcall function 004D7BCC: _memmove.LIBCMT ref: 004D7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00529352
__itow.LIBCMT ref: 0052936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00529392
__itow.LIBCMT ref: 005293A3

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 72f9aa8cbe98b2b82c6eafc2bfe98354b482fece1eb1191c121928939df0492c
Instruction ID: aa1557625c2e4eae92befcd7b8171e33b2c29a2bba75d74e4766de5e1ac20ba0
Opcode Fuzzy Hash: 72f9aa8cbe98b2b82c6eafc2bfe98354b482fece1eb1191c121928939df0492c
Instruction Fuzzy Hash: 8621F8317002186BDB10DA61AC89EEE3FA9FFA9715F04442AFD04D73C0D6708D4597A1

Function 00545A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00545A6E
GetForegroundWindow.USER32 ref: 00545A85
GetDC.USER32(00000000), ref: 00545AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00545ACD
ReleaseDC.USER32(00000000,00000003), ref: 00545B08

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 60d67c9a5a227f76734cacc1dbd15f3bb25f23d205fb2a3c0848357d5d6cc022
Instruction ID: a09af41375033aa6a5e36d61578b607b9ab8c4e2c624cbaafaf1f6ab9a0e5812
Opcode Fuzzy Hash: 60d67c9a5a227f76734cacc1dbd15f3bb25f23d205fb2a3c0848357d5d6cc022
Instruction Fuzzy Hash: 8821A435A00204AFDB04EFA5DC98AAABBE5FF58311F148479F809D7362DB70AC04DB90

Function 004D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004D134D
SelectObject.GDI32(?,00000000), ref: 004D135C
BeginPath.GDI32(?), ref: 004D1373
SelectObject.GDI32(?,00000000), ref: 004D139C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 442a64e098c88df53e7c2e9094efb91a997d940887cd700a40b779edd497ba99
Instruction ID: e4d054ef581668011b043af58a26e50152c9d21464a9c8fdfbed51ee88887818
Opcode Fuzzy Hash: 442a64e098c88df53e7c2e9094efb91a997d940887cd700a40b779edd497ba99
Instruction Fuzzy Hash: 8F215330801704EBEB119F65DC5875E7BE4FB20321F294217FC11962B0E77598A9EF55

Function 0052BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0052BCB3
_memcmp.LIBCMT ref: 0052BCD1
_memcmp.LIBCMT ref: 0052BCE4
_memcmp.LIBCMT ref: 0052BCFC
_memcmp.LIBCMT ref: 0052BD14

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 39ccbdc9e890925ddb4bab3e824aaa133acc5a0834a2e73e919743ef971a0cda
Instruction ID: ba18b731130034adea29b22fd29b1510325ceb2485e453473aee83343efcba0a
Opcode Fuzzy Hash: 39ccbdc9e890925ddb4bab3e824aaa133acc5a0834a2e73e919743ef971a0cda
Instruction Fuzzy Hash: B701967260051A7BF6046A126D42FFB7F5CFE62398F044425FE05A73C3EB55DE1182A5

Function 00534A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00534ABA
__beginthreadex.LIBCMT ref: 00534AD8
MessageBoxW.USER32(?,?,?,?), ref: 00534AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00534B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00534B0A

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 3c9076173d43c0314e91386f65b4d935dc1fd4c97953fc6272c7236dd4cb77dd
Instruction ID: 2954575a6cf7cb902eed7a065aa93aadf346b054f643ea095ba4d8354663be4c
Opcode Fuzzy Hash: 3c9076173d43c0314e91386f65b4d935dc1fd4c97953fc6272c7236dd4cb77dd
Instruction Fuzzy Hash: 34110476905608BBCB019FA8EC18A9B7FACEB55321F15426AF814D3250E671D9189BA0

Function 00528202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0052821E
GetLastError.KERNEL32(?,00527CE2,?,?,?), ref: 00528228
GetProcessHeap.KERNEL32(00000008,?,?,00527CE2,?,?,?), ref: 00528237
HeapAlloc.KERNEL32(00000000,?,00527CE2,?,?,?), ref: 0052823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00528255

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1999bc72dd80a6540f8ecc06c6d51ecaae04259c477f60e237e6040465e3e56c
Instruction ID: 9265c47ad4b3aea6157dd9dd289771b4e85f98e79343675f4f0076ee00868f17
Opcode Fuzzy Hash: 1999bc72dd80a6540f8ecc06c6d51ecaae04259c477f60e237e6040465e3e56c
Instruction Fuzzy Hash: 05014675202624EFDB204FA6EC58D6B7FADFF9A756B500469F809C3260DA318C04EB60

Function 0052710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00527044,80070057,?,?,?,00527455), ref: 00527127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00527044,80070057,?,?), ref: 00527142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00527044,80070057,?,?), ref: 00527150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00527044,80070057,?), ref: 00527160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00527044,80070057,?,?), ref: 0052716C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 4ba99dde636ea9d424f4e0e45c6722c3c2ad0f3159af129d9b0297dad90cbbb6
Instruction ID: 57b7f19538b705a32ee4d1f0bc332829110ee9a272da4379ebe0c8c2346c3761
Opcode Fuzzy Hash: 4ba99dde636ea9d424f4e0e45c6722c3c2ad0f3159af129d9b0297dad90cbbb6
Instruction Fuzzy Hash: 48017C72A01328ABDB118F64EC44AAA7FADFF49792F1400A4FD04D2260D731DD50EBA0

Function 00535244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00535260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0053526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00535276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00535280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005352BC

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 52f00d8258e0062d499bf186e05d00c336444b2d4c4670e134fec6a18dddc137
Instruction ID: 0bbb4d5f0d423b9d4f5e5474db90c62360967bc63cb323fa28e8dfa0bcd67b37
Opcode Fuzzy Hash: 52f00d8258e0062d499bf186e05d00c336444b2d4c4670e134fec6a18dddc137
Instruction Fuzzy Hash: 19015735D01A19DBCF00EFE4E849AEEBB78BB18312F400456E941B2191DB305554DBA1

Function 0052810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00528121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0052812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0052813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00528141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00528157

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0aad0ee1f0e01f26634f85026838a96d9eca7f277ddb32562ef3c2b0f9180cc8
Instruction ID: 98ab22d8ad77bb1e71194dcedc86971d8c45e70df98e55d2b8b60f2af8a8db21
Opcode Fuzzy Hash: 0aad0ee1f0e01f26634f85026838a96d9eca7f277ddb32562ef3c2b0f9180cc8
Instruction Fuzzy Hash: 8BF04F71202324AFEB110FA5EC9DF7B3FACFF4A755B040025F945C61E0CA619955EB60

Function 0052C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0052C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0052C20E
MessageBeep.USER32(00000000), ref: 0052C226
KillTimer.USER32(?,0000040A), ref: 0052C242
EndDialog.USER32(?,00000001), ref: 0052C25C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 97843df8a48e6804e7356704acefdbc889782fa214a8f4ea5f35a8f3bb642b03
Instruction ID: e7e7727d2f4c9c90c554aafeda6d07680d7f86524ab6cb5b9effbd82ef34e628
Opcode Fuzzy Hash: 97843df8a48e6804e7356704acefdbc889782fa214a8f4ea5f35a8f3bb642b03
Instruction Fuzzy Hash: 1E01D634404314EBEB206B60ED5EF9A7FB8FF11B06F00066AF582A14E1DBF469489B90

Function 004D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004D13BF
StrokeAndFillPath.GDI32(?,?,0050B888,00000000,?), ref: 004D13DB
SelectObject.GDI32(?,00000000), ref: 004D13EE
DeleteObject.GDI32 ref: 004D1401
StrokePath.GDI32(?), ref: 004D141C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 8d93ef24ff7ef7f914e0239d6ec58524d6ee0177f09af0f8cd37b464b6ac4ef5
Instruction ID: 6c7ac53f2e16d9eda31faebaad081a1fa2b9b37b2a9ec449cf53780c7a5e9b27
Opcode Fuzzy Hash: 8d93ef24ff7ef7f914e0239d6ec58524d6ee0177f09af0f8cd37b464b6ac4ef5
Instruction Fuzzy Hash: 9AF0EC30005B08EBDB125F26EC5C7593FE4A721326F2D8227E82A892F1D73549ADEF54

Function 004E2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 004F0DB6: std::exception::exception.LIBCMT ref: 004F0DEC
Part of subcall function 004F0DB6: __CxxThrowException@8.LIBCMT ref: 004F0E01

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

Part of subcall function 004D7A51: _memmove.LIBCMT ref: 004D7AAB

__swprintf.LIBCMT ref: 004E2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 004E2D66

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 4bb084fa9d192f595aa147b8e6f088e57cca49cecbf27b0848c6228c9972b0fd
Instruction ID: c64181a8fb6cd291590934048b7f8e4029dbf39487825e9d35fb30bc57ca792a
Opcode Fuzzy Hash: 4bb084fa9d192f595aa147b8e6f088e57cca49cecbf27b0848c6228c9972b0fd
Instruction Fuzzy Hash: 7D919B711082119FD714EF2AC995CAFBBA8FF85318F00491FF4419B2A1EA78ED44CB5A

Function 0053B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 004D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004D4743,?,?,004D37AE,?), ref: 004D4770

CoInitialize.OLE32(00000000), ref: 0053B9BB
CoCreateInstance.OLE32(00562D6C,00000000,00000001,00562BDC,?), ref: 0053B9D4
CoUninitialize.OLE32 ref: 0053B9F1

Part of subcall function 004D9837: __itow.LIBCMT ref: 004D9862
Part of subcall function 004D9837: __swprintf.LIBCMT ref: 004D98AC

Strings

.lnk, xrefs: 0053B99D, 0053B9AB

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 9cea543a189e79eb660db8b31d23970d0095704d1f632a1861cd32da35a0bf89
Instruction ID: 041bbcd6f45b9a2eabd1864dc613c356f7fb16d1bc48f1e18385aa3710ecf81d
Opcode Fuzzy Hash: 9cea543a189e79eb660db8b31d23970d0095704d1f632a1861cd32da35a0bf89
Instruction Fuzzy Hash: 72A153756043059FDB00EF15C8A4D2ABBE5FF89318F04898AF9999B3A1CB31EC45CB91

Function 0052B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0052B4BE

Strings

Container, xrefs: 0052B43B
%V, xrefs: 0052B561
AutoIt3GUI, xrefs: 0052B436

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%V
API String ID: 3565006973-1885944983
Opcode ID: b6312102bae59ba370ab9f6ab2b010d17722aa0276e0d19747095956ec313046
Instruction ID: b3b690c4707401b802ed3570d53a331d309509f514f3d4e54a09c3851d3f79a6
Opcode Fuzzy Hash: b6312102bae59ba370ab9f6ab2b010d17722aa0276e0d19747095956ec313046
Instruction Fuzzy Hash: 64914A70600611AFEB14DF64D884A6ABBF5FF49710F20896EE94ACB291EB70E841CB50

Function 004F501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004F50AD

Part of subcall function 005000F0: __87except.LIBCMT ref: 0050012B

Strings

pow, xrefs: 004F5085, 004F50A2

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 57a4da46bfdf244d1dd79f9bccf7d245969917fcf827034732825aa2819519ed
Instruction ID: cd9b01196560341f258ef156e807093735f39fd62e023fa5f72ddac93210b53e
Opcode Fuzzy Hash: 57a4da46bfdf244d1dd79f9bccf7d245969917fcf827034732825aa2819519ed
Instruction Fuzzy Hash: 14514C3190890B9ADB117B18CD0537F2F94BB50710F209D5AE7D5863E9DE388DC8E68A

Function 00518584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0051862B
_memmove.LIBCMT ref: 00518685

Strings

3cN, xrefs: 0051860C
_N, xrefs: 005186FF, 0051DFDC, 0051DFF8

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _memmove
String ID: 3cN$_N
API String ID: 4104443479-2844543080
Opcode ID: 5c12ab00770f975896df9fd1050a517004d739694bd4d3cd46eea0cceb26e868
Instruction ID: 840ab9f86024d78a1c8e6625c125e1d110b503c10866850f9efcd533a35eee2f
Opcode Fuzzy Hash: 5c12ab00770f975896df9fd1050a517004d739694bd4d3cd46eea0cceb26e868
Instruction Fuzzy Hash: 99516970A00609DFDF24CF69C884AFEBBB1FF44304F24852AE85AD7250EB34A995CB51

Function 005297F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00529296,?,?,00000034,00000800,?,00000034), ref: 005314E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0052983F

Part of subcall function 00531487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 005314B1

Part of subcall function 005313DE: GetWindowThreadProcessId.USER32(?,?), ref: 00531409
Part of subcall function 005313DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0052925A,00000034,?,?,00001004,00000000,00000000), ref: 00531419
Part of subcall function 005313DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0052925A,00000034,?,?,00001004,00000000,00000000), ref: 0053142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005298AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005298F9

Strings

@, xrefs: 00529911

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 91726db61c134718bc9d59565ac6df43790f79386942aa59be0594a0aa3d68a2
Instruction ID: 63eaabd11b4148682a3d50b5b3ded2fdc56de4ccbce695b56d2903d922d432c2
Opcode Fuzzy Hash: 91726db61c134718bc9d59565ac6df43790f79386942aa59be0594a0aa3d68a2
Instruction Fuzzy Hash: C7415E76901219AFCF10DFA4CD85ADEBBB8FF49700F004099FA45B7181DA716E85CBA0

Function 00557946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0055F910,00000000,?,?,?,?), ref: 005579DF
GetWindowLongW.USER32 ref: 005579FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00557A0C

Strings

SysTreeView32, xrefs: 005579B1

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ac3045b11bb449166b4d5357614f28083b2584f9a39c34bfd50703053d9f490f
Instruction ID: fe9a523e108e480eb601d5b5653996a6a664694ccdc6f4d0b59c12b2d8db4398
Opcode Fuzzy Hash: ac3045b11bb449166b4d5357614f28083b2584f9a39c34bfd50703053d9f490f
Instruction Fuzzy Hash: E931D23120420AABDB118F34DC65BEA7BA9FF09325F204726FC75932E0D730E9549B60

Function 005573D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00557461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00557475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00557499

Strings

SysMonthCal32, xrefs: 0055742C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: e1587662bc9813192e42273d8627c59d396d6c55e66336ef8f1d6b26850a8201
Instruction ID: 39aa67809700d29edbaa5403d4ec2cb14eabb38ce7a289e74cf1db93a70c4fdd
Opcode Fuzzy Hash: e1587662bc9813192e42273d8627c59d396d6c55e66336ef8f1d6b26850a8201
Instruction Fuzzy Hash: D621EF32100218ABDF118FA4DC56FEA3F6AFB4C725F110215FE146B190DAB5AC54DBA0

Function 00557B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00557C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00557C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00557C5F

Strings

msctls_updown32, xrefs: 00557BC4

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 746a76c23ee625dbb0e07c020f035f13ad5ff5b2d4652869cc6af29befb46ff6
Instruction ID: 525a299f0788cb62b46f2ac8567c2e892ab9aa7ef2ac61aaf4c30e117fdccae5
Opcode Fuzzy Hash: 746a76c23ee625dbb0e07c020f035f13ad5ff5b2d4652869cc6af29befb46ff6
Instruction Fuzzy Hash: B1219FB1604208AFDB11DF18DCD5CA73BECFB5A395B14001AF9009B3A1DB31EC158B60

Function 00556CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00556D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00556D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00556D70

Strings

Listbox, xrefs: 00556D08

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8c61898b3fd3dc899ce68e6d0eb5714b362c68c33383f8a91bacbbbaabf23a5d
Instruction ID: 896db1d8f3bc7f6c755e55e5e638608f84e8212b8d4437f9efe2b7d24b976f8b
Opcode Fuzzy Hash: 8c61898b3fd3dc899ce68e6d0eb5714b362c68c33383f8a91bacbbbaabf23a5d
Instruction Fuzzy Hash: 2E21D032200158BFEF118F54CC55EBB3BBAFB89751F41812AFD409B1A0C671AC559BA0

Function 005439E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00543A66

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00543A58
, $, xrefs: 00543AA6
%V, xrefs: 005439F4

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%V
API String ID: 3506404897-1386154089
Opcode ID: b9097c97eed9569ff12171c5d5d9e5e29a9186e3496ab2b90562081495967974
Instruction ID: 3a3c76352686b46ff52d62472cd7fd37ca727fa0b95d3765dcfda8d042c11774
Opcode Fuzzy Hash: b9097c97eed9569ff12171c5d5d9e5e29a9186e3496ab2b90562081495967974
Instruction Fuzzy Hash: D921C130640219AFCF10EF65CC96AEE7BB5FF44704F50045AF845AB292DB34EA45CB65

Function 0055770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00557772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00557787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00557794

Strings

msctls_trackbar32, xrefs: 00557749

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 851a157cd658215bc17d4b1fa5ec1d10dc8ec1ad3e4fe9f8ac210affe1db9fd8
Instruction ID: 8c2ddc02de1032029b586cb77a858c2a3067c5b16272a8548af2697decb830d7
Opcode Fuzzy Hash: 851a157cd658215bc17d4b1fa5ec1d10dc8ec1ad3e4fe9f8ac210affe1db9fd8
Instruction Fuzzy Hash: A7112772214208BAEF105F61EC15FEB3BA9FF8CB55F01011AFA41A2090D271E811DB10

Function 004F6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004F6B93
__calloc_crt.LIBCMT ref: 004F6BAC

Strings

@BY, xrefs: 004F6BC3
X, xrefs: 004F6BD1

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __calloc_crt
String ID: X$@BY
API String ID: 3494438863-3375393622
Opcode ID: db5c143dc619a063b75958d5dd6091acafcf7acbabbda11ca7e7a9eb13882674
Instruction ID: 090d2cccd12e382fd7677c31ec854a55b968d7412b004bb4d16b477ae3b2c2e8
Opcode Fuzzy Hash: db5c143dc619a063b75958d5dd6091acafcf7acbabbda11ca7e7a9eb13882674
Instruction Fuzzy Hash: 16F0C8752086298BFB269F25BC52B7227D4E711334B12041FE704DE280FB38A84557C8

Function 004F9B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 004F9B94

Part of subcall function 004F9C0B: __mtinitlocknum.LIBCMT ref: 004F9C1D
Part of subcall function 004F9C0B: EnterCriticalSection.KERNEL32(00000000,?,004F9A7C,0000000D), ref: 004F9C36

__updatetlocinfoEx_nolock.LIBCMT ref: 004F9BA4

Part of subcall function 004F9100: ___addlocaleref.LIBCMT ref: 004F911C
Part of subcall function 004F9100: ___removelocaleref.LIBCMT ref: 004F9127
Part of subcall function 004F9100: ___freetlocinfo.LIBCMT ref: 004F913B

Strings

8X, xrefs: 004F9B85
8X, xrefs: 004F9B8A, 004F9B9F, 004F9BAB

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8X$8X
API String ID: 547918592-2356835252
Opcode ID: 2b758f55a6db26b9cb52c35a667f9425fe213ad520db762fe9db724cb329eb5d
Instruction ID: b7cebcfbac3791b0a2b70422ef91e1228c902730e438a9d2c2d09d85d24d6eb3
Opcode Fuzzy Hash: 2b758f55a6db26b9cb52c35a667f9425fe213ad520db762fe9db724cb329eb5d
Instruction Fuzzy Hash: 8DE08C71943308AAEA10BBA56907B293AE0BB00B3AF20115FFA55791D5CEB81D00871F

Function 004D4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004D4BD0,?,004D4DEF,?,005952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004D4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004D4C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 004D4C1D
kernel32.dll, xrefs: 004D4C0C

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 10b699ac38435978c7bccb7cf364dd2e599112a04b722e2a77ca65c56d954700
Instruction ID: ceac415753388b9abebeecf34d5763890d99a0503b1301ac8914b2faef61474d
Opcode Fuzzy Hash: 10b699ac38435978c7bccb7cf364dd2e599112a04b722e2a77ca65c56d954700
Instruction Fuzzy Hash: E2D01730521B13CFD720AF71D968607BAE5EF19752B128C3B9886D6A60E7B4D884CB61

Function 004D4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004D4B83,?), ref: 004D4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004D4C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 004D4C50
kernel32.dll, xrefs: 004D4C3F

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 486efe8fe387a4432b3761f41b2231e7eed922979f31f83335750e828a46c4c6
Instruction ID: 7b4b8c12886597354064e911951fe3c06c31ff58ed2677bfc4eb375e985d6337
Opcode Fuzzy Hash: 486efe8fe387a4432b3761f41b2231e7eed922979f31f83335750e828a46c4c6
Instruction Fuzzy Hash: 96D01770520B13CFD720AF31D92860A7BE4AF15752B12883B9896D6A60E674D884CB60

Function 00550DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00551039), ref: 00550DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00550E07

Strings

RegDeleteKeyExW, xrefs: 00550E01
advapi32.dll, xrefs: 00550DF0

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 2f210bb2258bda9ee3d04c84c6f66c09eee32e7bcddab77631acf83833baddfc
Instruction ID: 348cd70992bb1f508f023060aaf4fcbea563295a91c2714a32ed5670d4a04596
Opcode Fuzzy Hash: 2f210bb2258bda9ee3d04c84c6f66c09eee32e7bcddab77631acf83833baddfc
Instruction Fuzzy Hash: 14D0C730500B22CFD321AF70C8192827AE8BF10343F248C3E9882E6190E7B0D894CB50

Function 005490E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00548CF4,?,0055F910), ref: 005490EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00549100

Strings

kernel32.dll, xrefs: 005490E9
GetModuleHandleExW, xrefs: 005490FA

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 7f7abe1e1ae88485f7a1df7f27e3136c40fadcf1097390f1a682fd908fbb7465
Instruction ID: 01d56a9a864c7b085a5c6472b38dd8b0db68d114e4a61e685ac2c4a081599945
Opcode Fuzzy Hash: 7f7abe1e1ae88485f7a1df7f27e3136c40fadcf1097390f1a682fd908fbb7465
Instruction Fuzzy Hash: C7D01734510B13CFDB20AF31D8296577AE4BF15356B12883A9986D6990EA70C884CBA0

Function 00511714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00511718
__swprintf.LIBCMT ref: 00511749

Strings

%.3d, xrefs: 00511723
WIN_XPe, xrefs: 00511788

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 109ddbf43e3601d023d6fe3d334a8320c94037ebb89585eefef0fe87a05d690c
Instruction ID: 8a6d88ef3073f96606ac1789c4cbf88a94c9fcb273c56e33b5d2da64e6d55036
Opcode Fuzzy Hash: 109ddbf43e3601d023d6fe3d334a8320c94037ebb89585eefef0fe87a05d690c
Instruction Fuzzy Hash: A2D01275805509EADB10AA909C9C8F97B7CF718301F140893F702E2280E2259BD5E729

Function 0052717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd2c86a72a14a4d09fe36cbce54141b1cd51c4da2d25e1aa1cc8c1f7aa10444
Instruction ID: 92bda4832dfb6547f3a6eb0ad8926b58c0106a08eda56a3b1fa97e6c13264c6b
Opcode Fuzzy Hash: 9bd2c86a72a14a4d09fe36cbce54141b1cd51c4da2d25e1aa1cc8c1f7aa10444
Instruction Fuzzy Hash: DDC19175A0422AEFCB14DF94D884EAEBBB5FF4D304B144998E805DB291D730ED41DB90

Function 0054E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0054E0BE
CharLowerBuffW.USER32(?,?), ref: 0054E101

Part of subcall function 0054D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0054D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0054E301
_memmove.LIBCMT ref: 0054E314

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 4ff106a85cd2ca33b1ef3c0d09d0762983a3ce73ea88237b96bb34d6b71a040c
Instruction ID: 4625d6b8ac697047320f29fc250eaeb40964058b1cdccd863534896d1c9328f9
Opcode Fuzzy Hash: 4ff106a85cd2ca33b1ef3c0d09d0762983a3ce73ea88237b96bb34d6b71a040c
Instruction Fuzzy Hash: 34C15871A083019FC704DF28C491AAABBE4FF89718F04896EF899DB351D770E946CB81

Function 00548093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005480C3
CoUninitialize.OLE32 ref: 005480CE

Part of subcall function 0052D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0052D5D4

VariantInit.OLEAUT32(?), ref: 005480D9
VariantClear.OLEAUT32(?), ref: 005483AA

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 16a256bea9fca2986416cb017e319fbc508a15b89c0708a9b5e45df0b1a704da
Instruction ID: e7e6946094986c267df70213632b76e8a640a9b4e6e3b7394be65a6dbca7ada5
Opcode Fuzzy Hash: 16a256bea9fca2986416cb017e319fbc508a15b89c0708a9b5e45df0b1a704da
Instruction Fuzzy Hash: ABA158756047019FCB00EF25C895A6EBBE4BF89718F04484EF9969B3A1CB34EC05DB86

Function 0052687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0052688E
SysAllocString.OLEAUT32(00000000), ref: 00526937
VariantCopy.OLEAUT32 ref: 00526966
VariantClear.OLEAUT32(?), ref: 0052698D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 66351f9d03d5e83312dda94db0853175e496fe3d0efecb9ae746b1d87b44766d
Instruction ID: 213776d5dc26d04a4a55e02c5d4f1b3312f250975110802c485602776dd4b4ec
Opcode Fuzzy Hash: 66351f9d03d5e83312dda94db0853175e496fe3d0efecb9ae746b1d87b44766d
Instruction Fuzzy Hash: 4F51A174700316DADB24AF65E8A5A3ABBE5BF46310F20D81FE586DB2D1DB74DC808705

Function 005597F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0176ED98,?), ref: 00559863
ScreenToClient.USER32(00000002,00000002), ref: 00559896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00559903

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: abf55a8103d7a53bc7d5b97fe339b7c50d297949469aadf150dd4a75b7bba3cc
Instruction ID: b94836cda6cee1b1336d1c0366741825d777531c318170c86da8e70e94b9db5e
Opcode Fuzzy Hash: abf55a8103d7a53bc7d5b97fe339b7c50d297949469aadf150dd4a75b7bba3cc
Instruction Fuzzy Hash: 06514D34A00209EFCF10CF64C9A4AAE7BB5FF55361F24815AF8659B2A0D734AD85DB90

Function 00529A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00529AD2
__itow.LIBCMT ref: 00529B03

Part of subcall function 00529D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00529DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00529B6C
__itow.LIBCMT ref: 00529BC3

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 9cc69a256da7e62abc5d1becb95d1ba0542a3b8a83e09a16e5b652aeb02d844c
Instruction ID: 0f26e1479d44fb6c355f1e2ee7a050c92517cedaa2690d6e61f01266f1d961c0
Opcode Fuzzy Hash: 9cc69a256da7e62abc5d1becb95d1ba0542a3b8a83e09a16e5b652aeb02d844c
Instruction Fuzzy Hash: 8C41BE70A04218ABDF11EF15E856BEE7FB9EF49714F00006AF905A3391DB749A44CBA5

Function 005469AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 005469D1
WSAGetLastError.WSOCK32(00000000), ref: 005469E1

Part of subcall function 004D9837: __itow.LIBCMT ref: 004D9862
Part of subcall function 004D9837: __swprintf.LIBCMT ref: 004D98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00546A45
WSAGetLastError.WSOCK32(00000000), ref: 00546A51

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: c3231300dc614255ebd39d4fecde4a0437dc426f3daf591493a8201ee160fe60
Instruction ID: ed32d7e58844b5c4ee159d650fa7a3c33df9599ecf763e45b4ff218b5166e46e
Opcode Fuzzy Hash: c3231300dc614255ebd39d4fecde4a0437dc426f3daf591493a8201ee160fe60
Instruction Fuzzy Hash: 9441B135700200AFEB60BF25CC96F7A77A4AF05B18F04841EFA59EB3C2DA749D008795

Function 0054641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0055F910), ref: 005464A7
_strlen.LIBCMT ref: 005464D9

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a95a6e81cf4f216f304caaa33d74628799fee0b9ea3605f73c2462beb2d478b3
Instruction ID: 2978c02c0cf1e3a86985d99732465d42965f08cbdd9dee9e794fec3553df0535
Opcode Fuzzy Hash: a95a6e81cf4f216f304caaa33d74628799fee0b9ea3605f73c2462beb2d478b3
Instruction Fuzzy Hash: 1441C371A00108ABCB14EBA9EC95FFEBBA8BF45318F50815AF81597392DB34AD04CB55

Function 0053B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0053B89E
GetLastError.KERNEL32(?,00000000), ref: 0053B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0053B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0053B915

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d1b75fddb89cdd9b9a38aeb64d4559016820eb710a56e048bcaa791604a0bef0
Instruction ID: d8617c7e92be97d5896a4783066fab9d26e4f40faf6fd39004be57ae1b939854
Opcode Fuzzy Hash: d1b75fddb89cdd9b9a38aeb64d4559016820eb710a56e048bcaa791604a0bef0
Instruction Fuzzy Hash: 5B412639A00610DFCB10EF15C494A59BBE1BF8A714F09809AFD4AAB362CB34FD05DB95

Function 00558851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005588DE

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 914410caab511cf88ed2af3546d18805f3abb77d6c21b434f387dd9b288ad06d
Instruction ID: 2e03340ee9dde00f3923be1d7bc59aca9eda6a1b39206a62e82fd5779ff4b5a4
Opcode Fuzzy Hash: 914410caab511cf88ed2af3546d18805f3abb77d6c21b434f387dd9b288ad06d
Instruction Fuzzy Hash: 0E31C134600108EEEB209A58CC65BB97FB5FB05352FA44913FE11F62A1CE71A9489B92

Function 0055AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0055AB60
GetWindowRect.USER32(?,?), ref: 0055ABD6
PtInRect.USER32(?,?,0055C014), ref: 0055ABE6
MessageBeep.USER32(00000000), ref: 0055AC57

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 130da4cc7d39803216cb991f0eb819c3bc40ff6844c90490259d5e1a6d49d5f7
Instruction ID: b41a503fe108a485caecac57d1076c80d440c3e5ee84f12c4cf8d25040622cc8
Opcode Fuzzy Hash: 130da4cc7d39803216cb991f0eb819c3bc40ff6844c90490259d5e1a6d49d5f7
Instruction Fuzzy Hash: BB41A230600209DFCB11DF58C8A4B597FF5FF49312F1482A6F9559B260E730AC49DB92

Function 00530AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00530B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00530B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00530BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00530BFB

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c43bc6383f06b583b9c6f182167c85befa2c2fae2f231b7739446d2fbeea1230
Instruction ID: 9f50b7c14fbad53971fe3add647a2a742566a3f921ee93617b67b9f78d7f9e8e
Opcode Fuzzy Hash: c43bc6383f06b583b9c6f182167c85befa2c2fae2f231b7739446d2fbeea1230
Instruction Fuzzy Hash: EF313770940318AEFF308A299C39BFEFFA9BB45315F04526AE481521D1C37489449751

Function 00530C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00530C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00530C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00530CE1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00530D33

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2b46ee129c2d3d1a22e03831b8084bc7976957240600efc75b5f92d1574ef114
Instruction ID: 945d3c5c61667ebca6484d189aa71df035a86a7c30bb12eefa404583f9fa32b6
Opcode Fuzzy Hash: 2b46ee129c2d3d1a22e03831b8084bc7976957240600efc75b5f92d1574ef114
Instruction Fuzzy Hash: 0031533094031CAEFF308A649829BFEFFA6BB85321F04672AE481521D1D3349D45D7A1

Function 005061C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005061FB
__isleadbyte_l.LIBCMT ref: 00506229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00506257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0050628D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 45a6cbcd5a23e529c778ef8adc030b6288ef9134eb1333a94b0113d12cec51fa
Instruction ID: 8fad967b65f3c7517331933ac348862ede5f93e8c2e737c50f0a15c32901452a
Opcode Fuzzy Hash: 45a6cbcd5a23e529c778ef8adc030b6288ef9134eb1333a94b0113d12cec51fa
Instruction Fuzzy Hash: 3431AC35604246AFDB218F65CC44BBE7FA9FF41310F154429E8649B1E1E731E960DB90

Function 00554EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00554F02

Part of subcall function 00533641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0053365B
Part of subcall function 00533641: GetCurrentThreadId.KERNEL32 ref: 00533662
Part of subcall function 00533641: AttachThreadInput.USER32(00000000,?,00535005), ref: 00533669

GetCaretPos.USER32(?), ref: 00554F13
ClientToScreen.USER32(00000000,?), ref: 00554F4E
GetForegroundWindow.USER32 ref: 00554F54

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c4dfce3c64fc32c337d88010be9ccb1c48a14b7df051ee5f2320e48ab7f4d702
Instruction ID: eaf939044977f35b453daa02e405980e71247da319103ab28337f3d634019277
Opcode Fuzzy Hash: c4dfce3c64fc32c337d88010be9ccb1c48a14b7df051ee5f2320e48ab7f4d702
Instruction Fuzzy Hash: 72312D71D00208AFCB00EFA6C8959EFBBF9EF98304F10446BE415E7241EA759E458BA4

Function 00533C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00533C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00533C88
Process32NextW.KERNEL32(00000000,?), ref: 00533CA8
CloseHandle.KERNEL32(00000000), ref: 00533D52

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b80c17c548faebff2a68a9f5a0e1a1f35b09022e02ae3e0b2902e6db5a7c311e
Instruction ID: 7a2906b512d289d5782513bef2e1b869dc731b5cb4a0a9d389ee6f2d89cd9266
Opcode Fuzzy Hash: b80c17c548faebff2a68a9f5a0e1a1f35b09022e02ae3e0b2902e6db5a7c311e
Instruction Fuzzy Hash: FD3184711083059FD300EF55D8A5AAFBBE8FF95354F50082EF581862A1EB71DA49CB52

Function 0055C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D2612: GetWindowLongW.USER32(?,000000EB), ref: 004D2623

GetCursorPos.USER32(?), ref: 0055C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0050B9AB,?,?,?,?,?), ref: 0055C4E7
GetCursorPos.USER32(?), ref: 0055C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0050B9AB,?,?,?), ref: 0055C56E

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: dd944672b1835350271fa422ef5c1092d0eb70ae01a614ac3909146ba89340f6
Instruction ID: ffbfb1fcc3616151ae9d14796b8d6e8aac853cefcd49a5cd11e941833f0ded77
Opcode Fuzzy Hash: dd944672b1835350271fa422ef5c1092d0eb70ae01a614ac3909146ba89340f6
Instruction Fuzzy Hash: 3A319335500118EFCF168F98C868EAA7FB5FB09311F44406AFD058B261D731AD58EBA4

Function 00528656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0052810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00528121
Part of subcall function 0052810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0052812B
Part of subcall function 0052810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0052813A
Part of subcall function 0052810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00528141
Part of subcall function 0052810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00528157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005286A3
_memcmp.LIBCMT ref: 005286C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005286FC
HeapFree.KERNEL32(00000000), ref: 00528703

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2133900cf5f22825bcbb2ccb025f0ee107866dc4be03466e80cff03868cb099e
Instruction ID: 5896903c5cc10c0598d581114990b5d38f1beab851a9ab6847d807c811f88ae7
Opcode Fuzzy Hash: 2133900cf5f22825bcbb2ccb025f0ee107866dc4be03466e80cff03868cb099e
Instruction Fuzzy Hash: E8217A31E02218EBDB10DFA4D948BBEBBB8FF61315F144059E405AB281DB30AE05CB50

Function 004F098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 004F09AE

Part of subcall function 004D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00537896,?,?,00000000), ref: 004D5A2C
Part of subcall function 004D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00537896,?,?,00000000,?,?), ref: 004D5A50

_fprintf.LIBCMT ref: 004F09E5
OutputDebugStringW.KERNEL32(?), ref: 00525DBB

Part of subcall function 004F4AAA: _flsall.LIBCMT ref: 004F4AC3

__setmode.LIBCMT ref: 004F0A1A

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: a0eb08d2d82d0fb0717c51241b722aac059b675d7bad9e04a1d6a26e84381c23
Instruction ID: 4979755dec591bcdea0deffcea6fe81baf9bb6a0c69a0b0c2d8c8a93ca30f823
Opcode Fuzzy Hash: a0eb08d2d82d0fb0717c51241b722aac059b675d7bad9e04a1d6a26e84381c23
Instruction Fuzzy Hash: D71105759042086BDB04B3B5AC4A9BE7BA8AFD1324F24005FF30597282EE28594657AD

Function 00541767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005417A3

Part of subcall function 0054182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0054184C
Part of subcall function 0054182D: InternetCloseHandle.WININET(00000000), ref: 005418E9

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 2ed3a7b1c8ec26a990c2b42b037ae4211f4976305e7291fcb7094b6f25a80dd2
Instruction ID: 9a69dc4c251998a4c424e97eff7baec750db060c45e580e25ba9d18d9546c980
Opcode Fuzzy Hash: 2ed3a7b1c8ec26a990c2b42b037ae4211f4976305e7291fcb7094b6f25a80dd2
Instruction Fuzzy Hash: 0F21F335200B05BFEB169F60DC00FFABFA9FF88715F10442AFA4196650DB71D850A7A4

Function 00533A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0055FAC0), ref: 00533A64
GetLastError.KERNEL32 ref: 00533A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00533A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0055FAC0), ref: 00533ADF

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 051dd7251fd754491841eaf13ae8a9d93eb785cc9b4c1a60eee41e18b8ae0cd0
Instruction ID: 2812a9c54a20068b72e9a121051d6c63c00246c0c57ff32c3605c959a5a4b1fd
Opcode Fuzzy Hash: 051dd7251fd754491841eaf13ae8a9d93eb785cc9b4c1a60eee41e18b8ae0cd0
Instruction Fuzzy Hash: 6D2183745083019F8310DF28C89586ABFE8BF55368F144A6EF499C72A1EB31DE49CB52

Function 0052DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0052F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0052DCD3,?,?,?,0052EAC6,00000000,000000EF,00000119,?,?), ref: 0052F0CB
Part of subcall function 0052F0BC: lstrcpyW.KERNEL32(00000000,?,?,0052DCD3,?,?,?,0052EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0052F0F1
Part of subcall function 0052F0BC: lstrcmpiW.KERNEL32(00000000,?,0052DCD3,?,?,?,0052EAC6,00000000,000000EF,00000119,?,?), ref: 0052F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0052EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0052DCEC
lstrcpyW.KERNEL32(00000000,?,?,0052EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0052DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,0052EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0052DD46

Strings

cdecl, xrefs: 0052DD3D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: ec743107f081ed314cd7de83148153efb111fb548b54f7116a6f2b949c8e9a65
Instruction ID: 9dd5bd1f02486210c780fb59c96a3a90ad5f6c7c32c87099b6b423f1818b8418
Opcode Fuzzy Hash: ec743107f081ed314cd7de83148153efb111fb548b54f7116a6f2b949c8e9a65
Instruction Fuzzy Hash: 9E11D33A200315EBDB259F34E849D7A7BB8FF86350B40402AF906CB2A1EB719841D7E4

Function 005050E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00505101

Part of subcall function 004F571C: __FF_MSGBANNER.LIBCMT ref: 004F5733
Part of subcall function 004F571C: __NMSG_WRITE.LIBCMT ref: 004F573A
Part of subcall function 004F571C: RtlAllocateHeap.NTDLL(01750000,00000000,00000001,00000000,?,?,?,004F0DD3,?), ref: 004F575F

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d84cb3daa01f2ed1ee19fa8e0c4e831d783e5b9d5ec075356f710986dc50fc6a
Instruction ID: 9cb4e4fb6dbef33d94403cdd56f1c0bb6aa27bd2285487e2606976252e03a3e9
Opcode Fuzzy Hash: d84cb3daa01f2ed1ee19fa8e0c4e831d783e5b9d5ec075356f710986dc50fc6a
Instruction Fuzzy Hash: E011E372904A19AECF312F71AC0977F3F98BB10365B10092FFA849A1D0EE388940DB94

Function 00546369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00537896,?,?,00000000), ref: 004D5A2C
Part of subcall function 004D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00537896,?,?,00000000,?,?), ref: 004D5A50

gethostbyname.WSOCK32(?,?,?), ref: 00546399
WSAGetLastError.WSOCK32(00000000), ref: 005463A4
_memmove.LIBCMT ref: 005463D1
inet_ntoa.WSOCK32(?), ref: 005463DC

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 3f0b19a01d8633b9255149f983fc64fbdd2caec626faaf6b121cb92b56afddc7
Instruction ID: 7ca60cd4a87397c284cc8928786ea8bebd11a4c82c876163e3594d5fa8cf1476
Opcode Fuzzy Hash: 3f0b19a01d8633b9255149f983fc64fbdd2caec626faaf6b121cb92b56afddc7
Instruction Fuzzy Hash: 0A117F72500109AFCB00FBA5DD66CEE7BB8BF09314B10406AF505A7261DB34AE04DB61

Function 00528B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00528B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00528B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00528B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00528BA4

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 53e170504c9110cfe431a45a96bd32fea895138cd593daadbcd0be77817707f2
Instruction ID: 59b015b5b68b125285d7494538b9b5980ec4d0b577c18dbd31ea69cd6806fd42
Opcode Fuzzy Hash: 53e170504c9110cfe431a45a96bd32fea895138cd593daadbcd0be77817707f2
Instruction Fuzzy Hash: BF110A79901218BFDB11DB95D885EADBBB4FF49710F204095E900B7290DA716E11DB94

Function 004D1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 004D2612: GetWindowLongW.USER32(?,000000EB), ref: 004D2623

DefDlgProcW.USER32(?,00000020,?), ref: 004D12D8
GetClientRect.USER32(?,?), ref: 0050B5FB
GetCursorPos.USER32(?), ref: 0050B605
ScreenToClient.USER32(?,?), ref: 0050B610

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0b57e8af2107f2c1559f1cfae4beb882d7222f1f6961bb95575602494d996736
Instruction ID: 6f8a373c517f2156e5b224d1ba81d169935c629d0a4e11b784d66e8c54b32058
Opcode Fuzzy Hash: 0b57e8af2107f2c1559f1cfae4beb882d7222f1f6961bb95575602494d996736
Instruction Fuzzy Hash: 6B116A39500119FFCB00EF98D8A99EE7BB9FB15301F100497F901E3250D735BA559BA9

Function 0052D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0052D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0052D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0052D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0052D897

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 0fb21e8dae7edbae2cd558660be952d95a7f3a4fc314a781682f2f38f021f223
Instruction ID: a0ed24dbbfead9be70fadea5a7d120162a7a31c10418b70ad2a8487c1415eb40
Opcode Fuzzy Hash: 0fb21e8dae7edbae2cd558660be952d95a7f3a4fc314a781682f2f38f021f223
Instruction Fuzzy Hash: 8B115E76605324DBE7208F50EC08F93BBBCFF01B00F108969A656D6490D7B0E549EBB1

Function 00506FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00506FDB

Part of subcall function 005076C2: __fltout2.LIBCMT ref: 005076EB

__cftog_l.LIBCMT ref: 00507001
__cftoe_l.LIBCMT ref: 00507033

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 239806c4c9226f81d3d0f9538dc7611eabbc3bde32780810c63c59ee848948ce
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 13014B7284814EBBCF265E84CC19CEE3F66BB1C394F588515FA18580B1D236E9B1AF81

Function 0055B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0055B2E4
ScreenToClient.USER32(?,?), ref: 0055B2FC
ScreenToClient.USER32(?,?), ref: 0055B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0055B33B

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: faf47771cb1b20b286e1f4baf5388691123e49249f68fc197896d960b98ceed0
Instruction ID: 719e1a7568d2e9dbef00356bca2d452ea3df0ee8b7a92f9452fa6da36ece2fef
Opcode Fuzzy Hash: faf47771cb1b20b286e1f4baf5388691123e49249f68fc197896d960b98ceed0
Instruction Fuzzy Hash: 7E1144B9D00209EFDB41CFA9C8849EEBBF9FF18311F108166E914E3220D735AA559F51

Function 00536BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00536BE6

Part of subcall function 005376C4: _memset.LIBCMT ref: 005376F9

_memmove.LIBCMT ref: 00536C09
_memset.LIBCMT ref: 00536C16
LeaveCriticalSection.KERNEL32(?), ref: 00536C26

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 5d1c6f879dca6f83e874d105baeacf8ca1496c5a790c175202c5c3490000ca4c
Instruction ID: 6bbfe1332f122b616a1bd65ec41749c65d73799441da896aaaecc2598ce9f271
Opcode Fuzzy Hash: 5d1c6f879dca6f83e874d105baeacf8ca1496c5a790c175202c5c3490000ca4c
Instruction Fuzzy Hash: 91F0547E100204ABCF016F55DC85A9ABF29EF85365F048065FE095E227CB35E811DBB4

Function 004D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004D2231
SetTextColor.GDI32(?,000000FF), ref: 004D223B
SetBkMode.GDI32(?,00000001), ref: 004D2250
GetStockObject.GDI32(00000005), ref: 004D2258
GetWindowDC.USER32(?,00000000), ref: 0050BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0050BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0050BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0050BEC2
GetPixel.GDI32(00000000,?,?), ref: 0050BEE2
ReleaseDC.USER32(?,00000000), ref: 0050BEED

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 1e6166abfa7d85c86b7befff480cf9dd519c2e07ad733d4e5431319a6b6132e8
Instruction ID: 4347a5a223596ca1865b6c83a4245379a6378f515ff4b49f954b54e6f704c5fa
Opcode Fuzzy Hash: 1e6166abfa7d85c86b7befff480cf9dd519c2e07ad733d4e5431319a6b6132e8
Instruction Fuzzy Hash: B8E03932504644AAEB215FA4EC5DBD93F10EB25332F008366FA69580E187B14984EB12

Function 00528712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0052871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,005282E6), ref: 00528722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005282E6), ref: 0052872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,005282E6), ref: 00528736

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 747444da72fd24573ad35b136b92756290945dbbf1f5f44a0f92546fc057a5b8
Instruction ID: 694ce1c49cd4afdd731d7cfb2b791eb70d0f2dcd314040d9974e0413d6009a00
Opcode Fuzzy Hash: 747444da72fd24573ad35b136b92756290945dbbf1f5f44a0f92546fc057a5b8
Instruction Fuzzy Hash: 2BE086766123219BDB605FF06D0CB573BBCEF71793F194828B246CA0D0DA348449D750

Function 004D6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%V, xrefs: 004D624E

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID:
String ID: %V
API String ID: 0-2395648186
Opcode ID: 8fc4a2e324e743da61d5b1bfca95f11f45e315bbc96113f0ec400f4e3b43066e
Instruction ID: 6e64aef7e2c83274c0590c53fad164b73002007454fcfdbf9206c3008f50ffc9
Opcode Fuzzy Hash: 8fc4a2e324e743da61d5b1bfca95f11f45e315bbc96113f0ec400f4e3b43066e
Instruction Fuzzy Hash: 17B190759001099ACF14EF98C4A59FEBBB5FF44314F11402BE916A7391EB389E82CB9D

Function 0054AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0054AFAE

Strings

xbY, xrefs: 0054AFE4
xbY, xrefs: 0054B010

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: __itow_s
String ID: xbY$xbY
API String ID: 3653519197-35300141
Opcode ID: 6e0ef62cd002fe75c47e875f59b8085c90ba7b9b6ba332d9e9295365d6e6f2e9
Instruction ID: 075cd92610c648f3147bdb6decfa9c64b3d9d12cef4193519440f28dccd955b7
Opcode Fuzzy Hash: 6e0ef62cd002fe75c47e875f59b8085c90ba7b9b6ba332d9e9295365d6e6f2e9
Instruction Fuzzy Hash: B9B19C74A00209AFDB14DF55C8A0EFABBB9FF58308F14845AF9459B291EB34E944CB60

Function 0053AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 004EFC86: _wcscpy.LIBCMT ref: 004EFCA9

Part of subcall function 004D9837: __itow.LIBCMT ref: 004D9862
Part of subcall function 004D9837: __swprintf.LIBCMT ref: 004D98AC

__wcsnicmp.LIBCMT ref: 0053B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0053B0F6

Strings

LPT, xrefs: 0053B027

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 9cf5d27866efb15f97367644dc242dbce26e9b7629c624ba22507c5676dd6084
Instruction ID: 8f7f6d05c0240a1efe9b552304f2735340f4507db780fe6ec8a0e4333ceefed8
Opcode Fuzzy Hash: 9cf5d27866efb15f97367644dc242dbce26e9b7629c624ba22507c5676dd6084
Instruction Fuzzy Hash: CD61A371E00219AFDB18EF94C895EAEBBB4FF08710F10405AFA16AB391D734AE44CB54

Function 004E2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 004E2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 004E2981

Strings

@, xrefs: 004E2975

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: e257a063a46a83073fc5e19cedcf66b01b9efe04adab5e353c5b97b36d820a20
Instruction ID: 0f6fa49f68b410f50b4af94a8490bfa7159a34ecc1348547a0e04520cb2431dd
Opcode Fuzzy Hash: e257a063a46a83073fc5e19cedcf66b01b9efe04adab5e353c5b97b36d820a20
Instruction Fuzzy Hash: F95157714187449BD320EF11D896BAFBBE8FB85344F41885EF2D8811A1DB34896CDB6A

Function 00539734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 004D4F0B: __fread_nolock.LIBCMT ref: 004D4F29

_wcscmp.LIBCMT ref: 00539824
_wcscmp.LIBCMT ref: 00539837

Strings

FILE, xrefs: 00539770

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 2f7efbe7d9391b371502e762a08eeed877e5456d9a4348c9e86446155efbe081
Instruction ID: b12b68ba4600ac71de0277a003f3ed0b331e1ac587f0f48e3a719c209aed1b49
Opcode Fuzzy Hash: 2f7efbe7d9391b371502e762a08eeed877e5456d9a4348c9e86446155efbe081
Instruction Fuzzy Hash: 1141B771A0021ABBDF219BA1CC45FEFBBB9EFC5714F00046ABA04B7280D67599048B65

Function 00510574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0051057F

Strings

DdY, xrefs: 004DA317
DdY, xrefs: 004DA151

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ClearVariant
String ID: DdY$DdY
API String ID: 1473721057-3232445540
Opcode ID: bfd57859574f783e1f21f3011782c4db4918290ddaf43025cc01dc9a8fd3aed6
Instruction ID: fe3b5ddb39ec913fe36f3780acee2c8e1e35e59cdc327a7ce20e02b3b2089fc7
Opcode Fuzzy Hash: bfd57859574f783e1f21f3011782c4db4918290ddaf43025cc01dc9a8fd3aed6
Instruction Fuzzy Hash: 525123786083018FDB50CF19C4A4A1ABBF1FB99344F54885EE8858B361D339EC95CF86

Function 0054258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0054259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005425D4

Strings

|, xrefs: 005425A5

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: caece11e60d1d227beb70f6335cb31668dae42bf9a377b27fb6a5288c5e2b9f8
Instruction ID: 65b90c538ea58a13bd45fe2d18b010d68a6bdbee4919a16958c2a14ee7db81c5
Opcode Fuzzy Hash: caece11e60d1d227beb70f6335cb31668dae42bf9a377b27fb6a5288c5e2b9f8
Instruction Fuzzy Hash: B2313971801119EBCF01EFA5CC95EEEBFB8FF08358F10045AF914AA262EB355956DB60

Function 00557A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00557B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00557B76

Strings

', xrefs: 00557ACA

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d8c6667f6715a8983ccc80aea898e1ec52c747e0ea1a89785212f9ad4240bb4b
Instruction ID: bff0d5464a3e985a721f8a2a22ad85b29b9df224dac5da8de1829084f954e17a
Opcode Fuzzy Hash: d8c6667f6715a8983ccc80aea898e1ec52c747e0ea1a89785212f9ad4240bb4b
Instruction Fuzzy Hash: CF412774A0430E9FDB14CF65D990BEABBB9FB08311F10016AED04AB381E770AA55DF90

Function 00556A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00556B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00556B53

Strings

static, xrefs: 00556AB3

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 181d791782f19587532549b1be8b849aace7f86ab935aec5db487d784f680384
Instruction ID: 6f3219d3b239ee6ca6f397fd15540ef86b3220810c9718664132e84be8912c35
Opcode Fuzzy Hash: 181d791782f19587532549b1be8b849aace7f86ab935aec5db487d784f680384
Instruction Fuzzy Hash: 0631BE71200644AEEB109F64CCA0BFB7BB9FF48761F50861AFDA5D3190DA30AC85DB60

Function 005328A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00532911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0053294C

Strings

0, xrefs: 0053290A

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a9e3af62329474c229542623e99717a62121b7da3c61106e406ee6c9b46eacdc
Instruction ID: 03e605afd4689cdee67a567d4c224786c56d9c300ee52ba0b35d3da9dff197a6
Opcode Fuzzy Hash: a9e3af62329474c229542623e99717a62121b7da3c61106e406ee6c9b46eacdc
Instruction Fuzzy Hash: 6531E132A00709EFEB25CF58CD85BAEBFF8FF45350F140429E985A61A1E7709984CB51

Function 005566D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00556761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0055676C

Strings

Combobox, xrefs: 0055672E

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: bab244985a85142db120ee32bf0c6b7ed564e8e591653b988d3c857ca8330448
Instruction ID: e6b8f0f41e8aafd52a7f4e3e48f7927d41339e1500214fbc44960a5f8869e48e
Opcode Fuzzy Hash: bab244985a85142db120ee32bf0c6b7ed564e8e591653b988d3c857ca8330448
Instruction Fuzzy Hash: 5711B6712102486FEF159F54CC90EBB3B6AFB48369F50012AFD1497290D635EC5587A0

Function 00556C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 004D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004D1D73
Part of subcall function 004D1D35: GetStockObject.GDI32(00000011), ref: 004D1D87
Part of subcall function 004D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 004D1D91

GetWindowRect.USER32(00000000,?), ref: 00556C71
GetSysColor.USER32(00000012), ref: 00556C8B

Strings

static, xrefs: 00556C4E

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: dbafcc0737ea1907ade1c5120579a43b2a0745d7dfabe1a4f47cd2e24e3c0c43
Instruction ID: 08fa003b4184a017ca24208469fcd39a7f19ab54c3c1efd473ca892a0c298ec0
Opcode Fuzzy Hash: dbafcc0737ea1907ade1c5120579a43b2a0745d7dfabe1a4f47cd2e24e3c0c43
Instruction Fuzzy Hash: 6D212976510209AFDF04DFA8CC55AEA7BB9FB08315F00462AFD95D3250E735E854DB60

Function 00556920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005569A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005569B1

Strings

edit, xrefs: 00556986

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 7bb55def9f8a0799be6b750b85b32a2e52139bcd19a0b8971b0153d275e19f93
Instruction ID: ba9f14af155c028cfa67517d5724420e57860a8320379502a7f38c99a547ed17
Opcode Fuzzy Hash: 7bb55def9f8a0799be6b750b85b32a2e52139bcd19a0b8971b0153d275e19f93
Instruction Fuzzy Hash: 0C116D71100248ABEF108E64DC64AEB3BB9FB153B6F904726FDA5971E0C735DC58A760

Function 005329AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00532A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00532A41

Strings

0, xrefs: 00532A18

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f3a0034c24b5af56426df31edbfffdb58289b74cff44974426b062d15211b42e
Instruction ID: 53aeb2c11715d87a9429c32bf38d6939bfee8a6e73c6cf2ce955ff552a5f32d2
Opcode Fuzzy Hash: f3a0034c24b5af56426df31edbfffdb58289b74cff44974426b062d15211b42e
Instruction Fuzzy Hash: 63110832901914ABCF31DF58DC44BAA7BB8BB45300F254026E895E72A0E7B0AD0AD791

Function 005421D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0054222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00542255

Strings

<local>, xrefs: 0054221D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 05e4f413d7d19e40f87d4fbd1fde143289030a2dcca86c6257859f47d3b3da84
Instruction ID: 8557b516f5178a3d51090f4c7522eb2bb6cd3cd9961d209499010712776bd069
Opcode Fuzzy Hash: 05e4f413d7d19e40f87d4fbd1fde143289030a2dcca86c6257859f47d3b3da84
Instruction Fuzzy Hash: D4110274509235BADB288F118C84FFBFFA8FF1A359F50862AF90596000D2B06984DAF0

Function 004E092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,004D3C14,005952F8,?,?,?), ref: 004E096E

Part of subcall function 004D7BCC: _memmove.LIBCMT ref: 004D7C06

_wcscat.LIBCMT ref: 00514CB7

Strings

SY, xrefs: 004E09AE

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: SY
API String ID: 257928180-1729131355
Opcode ID: 29112cb94696a4d8056bf1bd289513c8a5dad382815e6ba27eed3cc98fcd8e63
Instruction ID: e75f84e819bc5b0385a65cbfc06bfbf1dc19740b1027925148be309e18c6398e
Opcode Fuzzy Hash: 29112cb94696a4d8056bf1bd289513c8a5dad382815e6ba27eed3cc98fcd8e63
Instruction Fuzzy Hash: DC11A5709052099BCB01EFA5C855EDD7BF8FF08345B1049ABB958D3282FAB4A6884B19

Function 00528E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

Part of subcall function 0052AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0052AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00528E73

Strings

ComboBox, xrefs: 00528E12
ListBox, xrefs: 00528E3D

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 23a9afa5d7d6dc4c3b37ff2f6a46bc9490025b7532fb7ff078ca6c6f061ffebb
Instruction ID: 3d1cf6e7b404a3f0176caeab49f7291ff0e57cb184cacd901060767c7725983f
Opcode Fuzzy Hash: 23a9afa5d7d6dc4c3b37ff2f6a46bc9490025b7532fb7ff078ca6c6f061ffebb
Instruction Fuzzy Hash: 1301B9B1601229AB8B14EBE4DC659FE7B69BF46320B140A1AB871573E1DE355808D750

Function 00528CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

Part of subcall function 0052AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0052AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00528D6B

Strings

ComboBox, xrefs: 00528D0A
ListBox, xrefs: 00528D35

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 833a1fec9449b1907e8fce35557c4f97647d7c54da518e4d1c384fb828f196fc
Instruction ID: 0dd70b2e333f7d18cf0594ca1d341afb464ef7addace4d80e1b92aa126b0dd1a
Opcode Fuzzy Hash: 833a1fec9449b1907e8fce35557c4f97647d7c54da518e4d1c384fb828f196fc
Instruction Fuzzy Hash: 1201F7B1B41119ABCB14EBE1D9A6EFF7BA8EF16300F10001AB801632D1DE245E0CD7B1

Function 00528D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004D7DE1: _memmove.LIBCMT ref: 004D7E22

Part of subcall function 0052AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0052AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00528DEE

Strings

ComboBox, xrefs: 00528D8F
ListBox, xrefs: 00528DBA

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 7f527377918b619e16547a4793a0d6fb2c2095f622667482fac2948ed90f841e
Instruction ID: ada12e098f50df7a981ea0d85fd69de7a1622fad9d47ae611adabd80ee509b69
Opcode Fuzzy Hash: 7f527377918b619e16547a4793a0d6fb2c2095f622667482fac2948ed90f841e
Instruction Fuzzy Hash: 3F01F7B1B41119A7CB10E6E4D9A6EFE7BA8AF16300F10001AB841732D2DE254E0CD675

Function 0052C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0052C534

Part of subcall function 0052C816: _memmove.LIBCMT ref: 0052C860
Part of subcall function 0052C816: VariantInit.OLEAUT32(00000000), ref: 0052C882
Part of subcall function 0052C816: VariantCopy.OLEAUT32(00000000,?), ref: 0052C88C

VariantClear.OLEAUT32(?), ref: 0052C556

Strings

d}X, xrefs: 0052C517

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}X
API String ID: 2932060187-1337877651
Opcode ID: 44142b04965729e0cb64c324b27cb477ecb3561ab6acbaff99625e2215f8a6a5
Instruction ID: 989e66036df609406d1e7c33d456c7a58b8b76614012ca5c6207ed77c098d0b9
Opcode Fuzzy Hash: 44142b04965729e0cb64c324b27cb477ecb3561ab6acbaff99625e2215f8a6a5
Instruction Fuzzy Hash: F01130719007089FC710EF9AD88489AFBF8FF18314B50856FE58AD7611D770AA48CB90

Function 00534F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00534F46
_wcscmp.LIBCMT ref: 00534F58

Strings

#32770, xrefs: 00534F52

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: f9718c845f6ddb88b05be7a6b461f418239794a7405a324be86bf80415ce0ed9
Instruction ID: 375549b2a7ff32c1aa1c8063b1b40114f577738947ee197ab857e6cfc5a2d9b8
Opcode Fuzzy Hash: f9718c845f6ddb88b05be7a6b461f418239794a7405a324be86bf80415ce0ed9
Instruction Fuzzy Hash: 49E09B3250022826D7109A55DC49AB7FBACEB55B61F010067FD04D2151D5609A4587D0

Function 0050B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0050B314: _memset.LIBCMT ref: 0050B321

Part of subcall function 004F0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0050B2F0,?,?,?,004D100A), ref: 004F0945

IsDebuggerPresent.KERNEL32(?,?,?,004D100A), ref: 0050B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004D100A), ref: 0050B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0050B2FE

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 355accfe2db97497d726ca331635143141800f88df7cb4218886610899fbc811
Instruction ID: 1ec163fdda7103b04c0f120393c78f5e5c94974624c63899b31d3c9d52ca6a69
Opcode Fuzzy Hash: 355accfe2db97497d726ca331635143141800f88df7cb4218886610899fbc811
Instruction Fuzzy Hash: DFE06DB42007018BEB219F29E81879A7EE8BF10304F15CD6EE846C7781E7B4D448DBA1

Function 00527C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00527C82

Part of subcall function 004F3358: _doexit.LIBCMT ref: 004F3362

Strings

Error allocating memory., xrefs: 00527C7B
AutoIt, xrefs: 00527C76

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: f1bc2dfbdfec36a62bbab4bc33e41a2d79a6d46958473785bde3d871aadba81b
Instruction ID: 30d922150fd85f6fb00fac953d524c2206f57b62c2b68c8c5635bad8356d6690
Opcode Fuzzy Hash: f1bc2dfbdfec36a62bbab4bc33e41a2d79a6d46958473785bde3d871aadba81b
Instruction Fuzzy Hash: 45D012323C831C36E21576A66C07BDA6A889F15B56F14041BBF04A95D349D5898092ED

Function 00511935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00511775

Part of subcall function 0054BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0051195E,?), ref: 0054BFFE
Part of subcall function 0054BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0054C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0051196D

Strings

WIN_XPe, xrefs: 00511788

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 52859fe7c5b41eead30e9ad02ac23aa705134de321d15c18a61ae9146c0d0a70
Instruction ID: 1829565bb75213896b347bc9a7963a1b5f18b8db879c4947616eabcbd96869b7
Opcode Fuzzy Hash: 52859fe7c5b41eead30e9ad02ac23aa705134de321d15c18a61ae9146c0d0a70
Instruction Fuzzy Hash: 6BF0C970800509DFEB15EBA1C998AECBBF8FB18305F5404D6E206A2290DB759F89DF65

Function 00555964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0055596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00555981

Part of subcall function 00535244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005352BC

Strings

Shell_TrayWnd, xrefs: 00555967

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c68eba2f882f6edd4f255f5b0526fc74671d0bb466439053b7777a0560cfbf55
Instruction ID: d8970e5f0c61113c557a04d62ad951c73fd1947adfbe264e195a039945aaf1a1
Opcode Fuzzy Hash: c68eba2f882f6edd4f255f5b0526fc74671d0bb466439053b7777a0560cfbf55
Instruction Fuzzy Hash: 55D0C935384311B7E664BB709C1FFA76A14BB50B51F000825B749AB1D0E9E0A804C754

Function 00555998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005559AE
PostMessageW.USER32(00000000), ref: 005559B5

Part of subcall function 00535244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005352BC

Strings

Shell_TrayWnd, xrefs: 005559A7

Memory Dump Source

Source File: 00000000.00000002.2146445669.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true

Associated: 00000000.00000002.2146417412.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.000000000055F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146498888.0000000000584000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146541159.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.0000000000597000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2146557607.00000000005A5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_41570002689_20220814_05352297_HesapOzeti.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4a367f9f7ac0128f7d5b24d7e311e6a3506ca996829db18cde54ee0118960363
Instruction ID: feb12eb24a20f361b6071d47126d0deaf893cdb7fdf0c5be6a4d0d88c8182c43
Opcode Fuzzy Hash: 4a367f9f7ac0128f7d5b24d7e311e6a3506ca996829db18cde54ee0118960363
Instruction Fuzzy Hash: C0D0C9353C0311BBE664BB709C1FF976A14BB54B51F000825B745AB1D0E9E0A804C754

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 41570002689_20220814_05352297_HesapOzeti.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut2F70.tmp

C:\Users\user\AppData\Local\Temp\autE8C2.tmp

C:\Users\user\AppData\Local\Temp\autF749.tmp

C:\Users\user\AppData\Local\Temp\starbright

C:\Users\user\AppData\Local\nonplacental\juvenile.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
41570002689_20220814_05352297_HesapOzeti.exe

Function 004D3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 004D49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 004D4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00539155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 004D3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 004D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 004D708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 004D3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 004D3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 004D3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre